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Abstract;  The  data  link  layer  in  a  layered  conunu- 
nication  network  is  designed  to  ensure  reliable  data 
transfer  over  a  noisy  physical  channel.  Formal  spec¬ 
ifications  are  given  for  physical  channels  and  data 
links,  in  terms  of  I/O  automata.  Based  on  these 
specifications,  two  impossibility  results  are  proved. 
First,  no  data  link  protocol  can  tolerate  crashes  of 
the  host  processors  on  which  the  protocol  runs.  Sec¬ 
ond,  any  data  link  protocol  constructed  to  use  an 
arbitrary  non-FIFO  physical  channel  requires  un¬ 
bounded  headers. 

1  Introduction 

Network  protocols  are  decomposed  into  layers  in  or¬ 
der  to  reduce  the  complexity  of  their  design.  Each 
layer  has  a  particular  abstract  behavior,  describ- 
able  in  terms  of  a  particular  collection  of  abstract 
actions.  Thu  abstract  behavior  is  provided  for  the 
use  of  the  next  higher  layer,  and  is  implemented 
in  terms  of  the  abstract  behavior  of  the  next  lower 
layer.  A  thorough  discussion  of  network  layers  can 
be  found  in  [T]. 

The  physical  layer  is  the  lowest  layer  in  the  hier¬ 
archy,  and  is  implemented  directly  in  terms  of  the 
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physical  transmission  media.  There  are  two  classes 
of  transmission  media  that  are  commonly  consid¬ 
ered,  one  that  ensures  FIFO  behavior  for  the  corre¬ 
sponding  physical  channel  and  the  other  that  does 
not.  (A  physical  channel  is  said  to  exhibit  FIFO  be¬ 
havior  provided  that  messages  are  received  on  the 
physical  channel  in  the  same  order  as  they  are  sent.) 
The  transmission  media  are  noisy;  therefore,  the 
physical  layer  does  not  ensure  that  a  message  that 
is  sent  will  be  received. 

The  data  link  layer  is  the  next  higher  layer  in  the 
network  hierarchy.  In  contrast  to  the  physical  layer, 
the  data  link  layer  ensures  reliable  data  transfer, 
though  only  across  one  hop  in  the  network.  This 
means  that  every  message  that  is  sent  on  a  data 
link  to  a  neighboring  node  is  eventually  received  at 
the  other  end  (unless  a  link  failure  occurs)  and  also 
that  the  data  link  exhibits  FIFO  behavior.  (That  is, 
messages  are  received  on  the  data  link  in  the  same 
order  as  they  are  sent.) 

We  have  taken  the  terminology  “physical  chan¬ 
nel”  and  “data  link”  from  the  OSI  layered  commu¬ 
nication  model  [Z]  used  by  the  International  Stan¬ 
dards  Organization.  There  are  many  different  kinds 
of  layered  networks,  not  all  of  which  use  the  particu¬ 
lar  layers  specified  in  the  ISO  model.  However,  most 
of  the  important  layered  networks  have  their  two 
lowest  layers  very  similar  to  those  described  here, 
although  their  terminology  may  be  different.  For 
example,  the  ARPANET  data  link  layer  is  called 
the  “IMP-IMP”  [MW77]  layer,  while  the  SNA  and 
DECNET  da^a  link  layers  are  called  “data  link  con¬ 
trol”  layers  [C78,W80]. 

Data  links  are  implemented  using  protocols  that 
interact  by  communicating  over  physical  channels. 
Some  examples  of  interesting  data  link  protocols 
are  HDLC  (proposed  by  ISO),  SDLC  (developed  by 
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IBM)  and  LAPB  (used  by  CCITT).  These  proto¬ 
cols  are  very  similar;  they  all  require  FIFO  phys¬ 
ical  channels,  and  they  are  all  based  on  a  “slid¬ 
ing  window”  automatic  repeat  request  (ARQ)  al¬ 
gorithm,  where  messages  are  sent  in  packets  whose 
headers  contain  a  sequence  number  for  the  message, 
and  where  acknowledgements  contain  the  sequence 
number  of  the  next  message  expected.  Both  se¬ 
quence  numbers  are  kept  modulo  a  number  that 
is  at  least  one  more  than  the  size  of  the  window, 
which  is  the  maximum  difference  allowed  between 
the  greatest  sequence  number  sent  by  the  transmit¬ 
ter  and  the  greatest  sequence  number  of  a  message 
for  which  the  sender  has  received  an  acknowledge¬ 
ment.  The  correctness  of  this  algorithm  has  been 
proved  using  many  different  formal  methods,  under 
the  assumption  that  the  peer  processes  that  carry 
out  the  protocol  are  correctly  initialized.  However, 
Baratz  and  Segall  [BS83]  show  that  the  protocols 
mentioned  may  not  reach  a  satisfactory  initializa¬ 
tion  after  the  underlying  physical  link  fails  and  then 
recovers.  In  [BS83]  new  link  initialization  strategies 
are  presented,  each  of  which  can  be  combined  with 
a  sliding  window  algorithm  to  give  a  protocol  that 
uses  a  small  amount  of  memory  and  can  tolerate  an 
arbitrary  number  of  link  failures.  The  resulting  pro¬ 
tocols  require  access  to  one  bit  of  non-volatile  mem¬ 
ory,  that  is,  storage  that  retains  its  state  across  a 
crash  of  the  processor  on  which  the  protocol  is  run¬ 
ning. 

When  the  physical  channel  does  not  guarantee 
FIFO  behavior,  an  ARQ  rdgorithm  can  still  be  used, 
so  long  as  each  message  is  given  a  distinct  sequence 
number.  The  resulting  algorithm  (called  Stenning’s 
protocol)  uses  headers  which  may  be  arbitrarily 
long.^ 

In  this  paper,  we  give  formal  specifications  for 
both  the  physical  and  data  link  layer,  in  terms  of 
I/O  automata  [LT87].  Based  on  these  specifica¬ 
tions,  we  prove  two  impossibility  results  about  im¬ 
plementing  data  link  protocols. 

First,  we  study  the  ability  of  a  data  link  protocol 
to  tolerate  crashes  of  the  host  processors  on  which 
the  protocol  runs,  without  access  to  non-volatile 
storage.  In  the  absence  of  non-volatile  storage,  a 
host  crash  can  be  viewed  as  resetting  the  memory 
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of  the  part  of  the  data  link  protocol  running  on  i  liai 
host  to  its  distinguished  initial  value.  We  prove  that 
it  is  impossible  for  any  data  link  protocol  to  toler¬ 
ate  host  crashes,  even  if  the  requirements  of  the 
data  link  protocol  are  stated  very  weakly  and  even 
if  the  underlying  physical  channel  is  assumed  to  be 
FIFO.  This  impossibilty  result  was  conjectured  in 
[BS83].  A  very  similar  result  has  been  obtained 
independently  and  concurrently  by  J.  Spinelli  (per- 
sonM  communication). 

Second,  we  consider  the  possibility  of  achieving 
reliable  data  transfer  with  bounded  headers,  using 
a  physical  layer  that  does  not  ensure  FIFO  behavior. 
The  headers  contain  information  added  to  messages 
by  the  data  link  protocol  before  sending  them  on 
the  physical  channel.  We  prove  that  unbounded 
headers  are  essential  for  achieving  correct  data  link 
behavior  if  the  physical  channels  can  reorder  packets 
arbitrarily;  this  is  the  case  even  if  the  requirements 
on  the  data  link  are  weak. 

The  data  link  protocol  and  the  physical  chan¬ 
nel  are  modeled  as  I/O  automata;  thus,  the  for¬ 
mal  content  of  our  results  is  the  nonexistence  of 
I/O  automata  whose  behavior  has  certain  proper¬ 
ties.  We  believe,  however,  that  any  reasonable  data 
link  protocol  can  be  described  in  terms  of  I/O  au¬ 
tomata,  and  that  the  properties  chosen  accurately 
reflect  the  requirements  described  informally  above, 
so  that  the  results  really  assert  the  nonexistence  of 
data  link  protocols  satisfying  the  requirements. 

The  rest  of  the  paper  is  organized  as  follows.  Sec¬ 
tion  2  contains  a  summary  of  the  relevant  definitions 
from  the  I/O  automaton  model.  Sections  3  and  4 
contain  formal  specifications  for  the  physical  layer 
and  data  link  layer,  respectively.  Section  5  describes 
constraints  on  data  link  protocols.  Section  6  gives 
some  specific  automata  that  we  will  use  as  physical 
channels  when  giving  the  impossibility  proofs.  Sec¬ 
tion  7  contains  our  proof  that  no  data  link  protocol 
can  tolerate  host  crashes,  and  Section  8  contains 
our  proof  that  unbounded  headers  are  essential  for 
implementing  a  data  link  layer  using  arbitrary  non- 
FIFO  physical  channels.  Finally  Section  9  contains 
a  discussion  of  ways  in  which  we  believe  the  def¬ 
initions  can  be  extended  without  invalidating  the 
proofe. 


2  The  I/O  Automaton  Model 

The  infut/output  automaton  model  wae  defined  in 
[LT87]  as  a  tool  for  modeling  concurrent  and  dis¬ 
tribute  systems.  We  refer  the  reader  to  [LT87] 
and  to  the  expository  paper  [L88]  for  a  complete 
development  of  the  model,  plus  motivation  and  ex¬ 
amples.  Here,  we  provide  a  brief  summary  of  those 
aspects  of  the  model  that  are  needed  for  our  results. 

2.1  Actions  and  Actian  Signatures 

We  assume  a  universaJ  set  of  action*,  and  we  refer 
to  a  particular  occurrence  of  an  action  in  a  sequence 
as  an  event. 

An  action  signature  5  is  an  ordered  triple  con¬ 
sisting  of  three  pairwise-disjoint  sets  of  actions.  We 
write  <n(5),  out(S)  smd  «nt(S)  for  the  three  com¬ 
ponents  of  5,  and  refer  to  the  actions  in  the  three 
sets  as  the  inpa<  actions,  output  actions  and  in¬ 
ternal  actions  of  5,  respectively.  We  let  exi(S)  = 
tn(5)  Uotit(5)  and  refer  to  the  actions  in  ext(S)  as 
the  ertemal  actions  of  5.  Also,  we  let  /ocat(S)  = 
out(S)  U  int(S),  and  refer  to  the  actions  in  local(S) 
as  the  locallf-controlled  actions  of  5.  Finally,  we  let 
acts(S)  =  in(5)  U  out(5)  U  int(S),  and  refer  to  the 
actions  in  acts(5)  as  the  actions  of  5.  An  external 
action  signature  is  an  action  signature  consisting  en¬ 
tirely  of  external  actions,  that  is,  having  no  internal 
actions. 

2.2  Input/Output  Automata 

An  input/output  automaton  A  (also  called  an  I/O 
automaton  or  simply  an  automaton)  consists  of  five 
components; 

1.  an  action  signature  st9(A), 

2.  a  set  states(A)  of  states, 

3.  a  nonempty  set  start(A)  C  states(A)  of  start 
states, 

4.  a  transition  relation  steps(A)  C  (states(A)  x 
acts(sig(A))  x  states(A)),  with  the  property 
that  for  every  state  sf  and  input  action  *■  there 
is  a  transition  (s',  ir,s)  in  steps(A),  and 

5.  an  equivalence  relation  part(A)  on 
loeal(sig{A)),  having  at  most  countably  many 
equivalence  classes. 


We  refer  to  an  element  (s',  t,s)  of  steps(A)  as  a 
step  of  A.  The  step  (s',  jt,  s)  is  called  an  input  step 
of  A  if  r  is  an  input  action.  Output  steps,  internal 
steps,  external  steps  and  locally-controlled  steps  are 
defined  analogously.  If  (s',  ir,  s)  is  a  step  of  A,  then 
T  is  said  to  be  enabled  in  s'.  Since  every  input 
action  is  enabled  in  every  state,  automata  are  said 
to  be  input-enabled.  The  partition  part{A)  is  an 
abstract  description  of  the  underlying  components 
of  the  automaton,  and  is  used  to  define  fairness. 

An  execution  fragment  of  A  is  a  finite  se¬ 
quence  sqXiSiIT]  . . .  T„s„  or  an  infinite  sequence 
sqXiSi*2  ■  ■  ■  v„Sn  . . .  of  alternating  states  and  ac¬ 
tions  of  A  such  that  (s<,  Xj+i,s,>i)  is  a  step  of  A 
for  every  i.  An  execution  fragment  beginning  with 
a  stut  state  is  called  an  execution.  We  denote  the 
set  of  executions  of  A  by  execs(A).  A  state  is  said 
to  be  reachable  in  A  if  it  is  the  final  state  of  a  finite 
execution  of  A. 

A  fair  execution  of  an  automaton  A  is  defined  to 
be  an  execution  or  of  A  such  that  the  following  con¬ 
dition  holds  for  each  class  C  of  port(A):  if  a  is  finite, 
then  no  action  of  C  is  enabled  in  the  final  state  of  a, 
while  if  a  is  infinite,  then  either  a  contains  infinitely 
many  events  from  C,  or  else  a  contains  infinitely 
many  occurrences  of  states  in  which  no  action  of  C 
is  enabled.  Thus,  a  fair  execution  gives  “fair  turns" 
to  each  class  of  porl(A).  We  denote  the  set  of  fair 
executions  of  A  by  fairexecs{A). 

The  schedule  of  an  execution  fragment  a  of  A  is 
the  subsequence  of  a  consisting  of  actions,  and  is 
denoted  by  sched(ar).  We  say  that  0  is  a  schedule 
of  A  if  /?  is  the  schedule  of  an  execution  of  A.  We 
denote  the  set  of  schedules  of  A  by  scheds(A).  We 
say  that  0  is  a  fair  schedule  of  A  if  is  the  schedule 
of  a  fair  execution  of  A  and  we  denote  the  set  of  fair 
schedules  of  A  by  fairscheds{A). 

The  behavior  of  an  execution  or  schedule  a  of  A  is 
the  subsequence  of  a  consisting  of  external  actions, 
and  is  denoted  by  beh{a).  We  say  that  0  isa  behav¬ 
ior  of  A  if  0  is  the  behavior  of  an  execution  of  A. 
We  denote  the  set  of  behaviors  of  A  by  behs(A).  We 
say  that  0  is  a  fair  behavior  of  A  if  ^  is  the  behavior 
of  a  fair  execution  of  A  and  we  denote  the  set  of  fair 
behaviors  of  A  by  fairbehs{A).  When  an  algorithm 
is  modelled  as  an  I/O  automaton,  it  is  the  set  of  fair 
behaviors  of  the  automaton  that  reflect  the  activity 
of  the  algorithm  that  is  important  to  users. 


We  say  that  a  finite  behavior  or  schedule  l3  of  A 
can  leave  A  in  state  s  if  there  is  a  finite  execution 
a  with  J  as  its  behavior  or  schedule,  such  that  the 
final  state  in  a  is  a. 

The  following  lemma  says  that  no  matter  what 
has  happened  in  any  finite  execution,  and  no  mat¬ 
ter  what  inputs  continue  to  arrive  from  the  environ¬ 
ment,  an  automaton  crm  continue  to  take  steps  to 
give  a  fur  execution. 

Lemma  2.1  Lei  A  be  an  I/O  automaton  and  lei  7 
be  a  sequence  of  input  actions  of  A. 

1.  Suppose  that  a  is  a  finite  execution  of  A.  Then 
there  exists  a  fair  execution  a'  of  A  such  that 
a'  is  an  extension  of  a  and  6eh(a')|tn(.4)  = 
(6eh(a)|m(i4))7. 

2.  Suppose  that  0  is  a  finite  schedule  of  A. 
Then  there  exists  a  fair  schedule  S'  of  A  such 
that  iT  is  an  extension  of  0  and  0‘\in{A)  = 
(/?|in(>t))7. 

2.3  Schedule  Modules 

In  line  with  our  approach,  where  the  facts  about  an 
algorithm  that  are  important  to  its  users  are  mod¬ 
elled  by  the  set  of  fair  behaviors  of  an  automaton, 
we  also  give  a  formal  model  for  a  problem  specifica¬ 
tion  by  a  set  of  sequences  of  actions.  More  precisely, 
a  problem  will  be  specified  by  a  pair  consisting  of  an 
action  signature  and  a  set  of  sequences  over  the  ac¬ 
tions  in  that  signature.  (In  most  interesting  cases, 
the  action  signature  will  be  an  external  action  sig¬ 
nature.)  The  mathematical  object  used  to  describe 
a  problem  is  called  a  “schedule  module” . 

A  schedule  module  H  consists  of  two  components: 

1.  an  action  signature  sig{H),  and 

2.  a  set  scheds(H)  of  schedules. 

Each  schedule  in  acheds{H)  is  a  finite  or  infinite 
sequence  of  actions  of  H. 

The  behavior  of  a  schedule  ^  of  is  the  sub¬ 
sequence  of  0  consisting  of  external  actions,  and 
is  denoted  by  beh(0).  We  say  that  0  is  u  be~ 
havior  of  H  if  0  is  the  behavior  of  an  execution 
of  H.  We  denote  the  set  of  behaviors  of  H  by 
behs{H).  We  extend  the  definitions  of  fair  schedules 
and  fair  behaviors  to  schedule  modules  in  a  triv¬ 
ial  way,  letting  fairseheds{H)  =  aehedB{H)  and 
fairbehsiH)  =  behs{H). 


We  use  the  term  module  to  designate  either  an 
automaton  or  schedule  module.  If  M  is  a  mod¬ 
ule,  we  sometimes  write  acts(M)  as  shorthand  for 
actslsig{M)),  and  likewise  for  in(A/),  out{M).  etc. 
If  0  is  any  sequence  of  actions  and  M  is  a  module, 
we  write  0\M  for  0\acts(M). 

2.4  Solving  Problems 

Now  we  are  ready  to  define  our  notion  of  ‘‘solv¬ 
ing”.  This  notion  is  intended  for  describing  the 
way  in  which  particular  algorithms  (formalized  as 
automata)  solve  particular  problems  (formalized  as 
schedule  modules).  Let  A  be  an  automaton  and  H 
a  schedule  module  with  the  same  external  action 
signature  as  A.  Then  we  say  that  A  solves  H  if 
fairbehs{A)  C  beha{H). 

2.5  Composition 

The  most  useful  way  of  combining  I/O  automata  is 
by  meauu  of  a  composition  operator,  as  defined  in 
this  subsection.  This  models  the  way  algorithms  in¬ 
teract,  as  for  example  when  the  pieces  of  a  commu¬ 
nication  protocol  at  different  nodes  and  a  lower-level 
protocol  all  work  together  to  provide  a  higher-level 
service. 

2.5.1  Composition  of  Action  Signatures 

Let  /  be  an  index  set  that  is  at  most  countable.  A 
collection  {5,  },^/  of  action  signatures  is  satid  to  be 
stronglg  compatible  if  for  all  i,j  €  /,  we  have 

1.  out{Si)nout{Sj)  =  9, 

2.  int{Si)  n  acts{Sj)  =  0,  and 

3.  no  action  is  in  acts{Si)  for  infinitely  many  t. 

Thus,  no  action  is  an  output  of  more  than  one 
signature  in  the  collection,  and  internal  actions  of 
any  signature  do  not  appear  in  any  other  signature 
in  the  collection. 

The  composition  S  =  Ui^iSi  of  a  collection  of 
strongly  compatible  action  signatures  {Si}i^r  is 
defined  to  be  the  action  signature  with  tn(5)  = 
Uje/»n(Si)\Uje/out(Si),  o«t(S)  =  Ui6/out(Si),  and 
int(S)  =  U<e/tnt(5i).  Thus,  output  actions  are 
those  that  are  outputs  of  any  of  the  component  sig¬ 
natures,  and  similarly  for  internal  actions.  Input 
actions  are  any  actions  that  are  inputs  to  any  of 


the  component  signatures,  but  outputs  of  no  com¬ 
ponent  signature. 

2.5.2  Composition  of  Automata 

A  collection  {AJie/  of  automata  is  said  to  be 
strongly  compatible  if  their  action  signatures  are 
strongly  compatible.  The  composition  A  =  Tlig/Ai 
of  a  strongly  compatible  collection  of  automata 
Aiig/  has  the  following  components: 

1.  sig(A)  ss 

2.  sta(es(A)  =  nie/states(Ai)^ 

3.  stari(A)  =  IIif/start(Ai) 

4.  steps(A)  is  the  set  of  triples  (si.T.si)  such 
that  for  all  i  €  I,  if  ir  €  acts(Ai)  then 
(si[i],  T,  si[i])  e  steps(Ai),  and  if  »  acts(Ai) 
then  si[i]  =  S}[i]^,  and 

5.  part(A)  =  Uierpart(Ai). 

Since  the  automata  Ai  are  input-enabled,  so  is  their 
composition,  and  hence  their  composition  is  an  au¬ 
tomaton.  Each  step  of  the  composition  automaton 
consists  of  all  the  automata  that  have  a  particu¬ 
lar  action  in  their  signatures  performing  that  action 
concurrently,  while  the  automata  that  do  not  have 
that  action  in  their  signatures  do  nothing.  The  par¬ 
tition  for  the  composition  is  formed  by  taking  the 
union  of  the  partitions  for  the  components.  Thus, 
a  fair  execution  of  the  composition  gives  fair  turns 
to  all  of  the  classes  within  all  of  the  component  au¬ 
tomata.  In  other  words,  all  component  automata 
in  a  composition  continue  to  act  autonomously.  If 
a  =  soxisi...  is  an  execution  of  A,  let  a|A,-  be  the 
sequence  obtained  by  deleting  itjSj  when  wj  is  not 
an  action  of  Ai ,  and  replacing  the  remaining  •j  by 

•iW- 

The  following  basic  results  relate  executions, 
schedules  and  behaviors  of  a  composition  to  those  of 
the  automats  being  composed.  The  first  result  says 
that  the  projections  of  executions  of  a  composition 
onto  the  components  are  executions  of  the  compo¬ 
nents,  and  sii^arly  for  schedules,  etc.  The  parts  of 
this  result  dealing  with  fairness  depend  on  the  fact 

*Not«  that  the  sscotid  and  third  coaponcnu  listed  are 
just  ordinary  Cartesian  produeto,  while  the  first  component 
uses  a  previous  definition. 

*  We  use  the  notation  s(i]  to  denote  the  i-th  component  of 
the  state  vector  s 


that  at  most  one  component  automaton  can  impose 
preconditions  on  each  action. 

Lemma  2.2  Let  be  a  strongly  compatible 

collection  of  automata,  and  let  A  =  Ilie/Ai.  If 
a  €  execs(i4)  then  a|i4,  €  execs(Ai)  for  all  i  € 
I.  Moreover,  the  same  result  holds  for  fairezecs, 
scheds,  fairscheds,  behs  and  fatrbehs  in  place  of  ex¬ 
ecs. 

Certain  converses  of  the  preceding  lemma  are  also 
true.  The  following  lemma  says  that  executions  of 
component  automata  can  be  patched  together  to 
form  an  execution  of  the  composition. 

Lemma  2.3  Let  be  a  strongly  compatible 

collection  of  automata,  and  let  A  =  n,£/A|  .  For 
all  i  €  I,  let  a,  be  an  execution  of  A< .  Suppose  0 
is  a  sequence  of  actions  in  ext(A)  such  that  0\Ai  = 
beh{ai)  for  every  i.  Then  there  is  an  execution  a 
of  A  such  that  0  —  beh(a)  and  at  =  a|Ai  for  all  i. 
Moreover,  if  ot,  is  a  fair  execution  of  Ai  for  all  i, 
then  a  may  be  taken  to  be  a  fair  execution  of  A. 

Similarly,  schedules  or  behaviors  of  component 
automata  can  be  patched  together  to  form  schedules 
or  behaviors  of  the  composition. 

Lemma  2.4  Let  be  a  strongly  compatible 

collection  of  automata,  and  let  A  =  IIi£/Ai.  Let 
0  be  a  sequence  of  actions  in  acts(A).  If  0\Ai  € 
scheds{Ai)  for  alii  £  I,  then  0  £  scheds{A).  More¬ 
over,  the  same  result  holds  for  fairscheds,  behs  and 
fairbehs  in  place  of  scheds. 

2.6  Hiding  Output  Actions 

We  now  define  an  operator  that  hides  a  designated 
set  of  output  actions  in  a  given  automaton  to  pro¬ 
duce  a  new  automaton  in  which  the  given  actions 
are  internal.  Namely,  suppose  A  is  an  I/O  automa¬ 
ton  and  4  C  ext(A)  is  any  subset  of  the  output 
actions  of  A.  Then  we  define  a  new  automaton, 
hidee(A)  to  be  exactly  the  same  as  A  except  for  its 
signature  component.  For  the  signature  component, 
we  have  in(hide*(A))  =  in(A),  out(/»ide*(A))  = 
out{A)  \  and  ml(hide#(A))  =  int(A)  U$. 
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The  Physical  Layer 

The  physical  layer  is  the  lowest  layer  in  the  OSI 
Reference  Model  hierarchy,  and  is  implemented  di¬ 
rectly  in  terms  of  the  physical  transmission  media. 
A  standud  interface  to  the  physical  layer  permits 
implementation  of  the  higher  layers  independently 
of  the  transmission  media. 

In  a  typical  setting,  a  physical  layer  interacts  with 
higher  layers  at  two  endpoints,  a  ‘‘transmitting  stv 
tion”  and  a  “receiving  station” .  The  physical  layer 
receives  messages  called  “packets”  from  the  higher 
layer  at  the  transmitting  station,  and  delivers  soma 
of  the  packets  to  the  higher  layer  at  the  receiving 
station.  The  physical  layer  can  lose  packets.  While 
it  is  also  possible  for  packets  to  be  corrupted  by  the 
transmission  medium,  we  assume  that  the  physi¬ 
cal  layer  masks  such  corrupted  packets  using  error¬ 
detecting  codes.  Thus,  the  only  faulty  behavior  we 
consider  is  loss  of  packets. 

In  this  section,  we  give  specifications  for  physical 
layer  behavior.  We  will  specify  two  different  kinds  of 
physical  layers,  based  on  whether  or  not  the  channel 
is  required  to  ensure  FIFO  delivery  of  packets.  It 
is  convenient  to  parameterize  the  specifications  by 
an  ordered  pair  (f,  r)  of  names  for  the  transmitting 
and  receiving  stations.  The  specifications  will  be 
given  as  schedule  modules,  denoted  by  the  names 
PL-FIFC/  '  and  PL*  '  respectively. 

Let  P  be  a  fixed  alphabet  of  “packets”.  Both 
PL*-'  and  PL-FIFC^-'  have  the  action  signature  il¬ 
lustrated  in  Figure  1  and  given  formally  as  follows. 

Input  actions: 

tend^kt*'(p),  p€  P 

wake*-' 

fail*' 

crash*-' 

Output  actions: 

receive.pkt*-'(p),  p€  P 

There  are  no  internal  actions.  The  send.pkt*-'{p) 
action  represents  the  sending  of  packet  p  on  the 
physical  channel  by  the  transmitting  station,  and 
the  reeeive.pkt*’'(p)  represents  the  receipt  of  packet 
p  by  the  receiving  station.  The  wake*-'  and  faiP-' 
actions  represent  notification  that  the  transmission 
medium  has  become  active  or  inactive,  respectively. 
Finally,  the  crash*-'  action  represents  notification 


Figure  1;  The  Physical  Layer 

that  the  transmitting  station  has  suffered  a  hard¬ 
ware  crash  failure.  We  will  often  refer  to  the  actions 
in  acts{PL*-')  as  physical  layer  actions  (for  (t,r)). 

In  order  to  define  the  sets  of  schedules  for 
the  two  schedule  modules,  scheds(P L*  •' )  and 
scheds(PL-FIFO*-'),  it  is  helpful  to  define  a  collec¬ 
tion  of  auxiliary  properties  of  sequences  of  physical 
layer  actions.  These  will  be  properties  refiecting  the 
operation  of  a  “good”  physical  channel  in  a  “good” 
environment.  We  will  then  specify  the  allowed  be¬ 
haviors  of  a  physical  channel  by  requiring  some  of 
these  properties  to  hold  if  others  do.  Let  /?  =  tit;  .  .. 
be  a  (finite  or  infinite)  sequence  of  physical  layer  ac¬ 
tions.  We  define  properties  for 

We  define  a  crash  interval  in  to  be  a  maximal 
contiguous  subsequence  not  containing  a  crash*  ' 
event.  We  say  that  0  is  well-formed  provided  that 
in  every  crash  interval  in  0,  the  fail*-'  and  wake*-' 
events  alternate  strictly,  starting  with  wake*-'. 
Thus,  in  a  well-formed  sequence,  there  are  re¬ 
peated  alternating  notifications  that  the  transmis¬ 
sion  medium  is  active  and  inactive,  with  crashes 
serving  as  delimiters  between  sequences  of  wake  and 
fail  events.  A  crash  event  can  be  thought  of  as  in¬ 
cluding  a  failure,  in  cases  where  the  crash  follows  a 
wake  with  no  intervening  fail. 

If  is  a  well-formed  sequence  of  physical  layer 
actions,  then  a  working  interval  in  0  is  the  subse¬ 
quence  of  0  from  any  wake*-'  event  until  the  next 
faiP-'  or  crash*-'  event,  or  until  the  end  of  0  if  there 
are  no  later  crash*-'  or  fail*-'  events,  not  including 
the  given  wake*-',  faiP-'  or  crash*-'  events.  If  0 
has  a  wake*-'  event  with  no  later  fail*-'  or  crash*  ' 
event,  then  the  suffix  of  0  starting  after  the  wake*-' 
event  is  called  an  unbounded  working  interval.  Note 
that  there  is  at  most  one  unbounded  working  inter¬ 
val  in  0. 


Now  we  define  the  following  properties,  (PLl)- 
(PL6),  of  well-formed  sequences  0  of  physical  layer 
actions.  The  first  property  is  a  restriction  on  the 
use  of  the  physical  channel  saying  that  a  packet  is 
sent  only  when  the  channel  is  active. 

(PLl)  Every  send^kt*  '  event  occurs  in  a  working 
interval  in  0. 

The  next  property  is  a  technical  restriction  on  the 
use  of  the  physical  channel  saying  that  the  packets 
sent  are  always  unique.  Thus  the  reader  may  think 
of  each  packet  as  labeled  with  a  unique  identifier; 
however,  a  practical  data  link  layer  protocol  should 
not  use  this  label,  which  is  included  in  the  model 
for  ease  of  analysis,  but  does  not  correspond  to  any 
bits  sent  on  the  transmission  medium.'*  The  main 
reason  we  use  this  restriction  is  so  that  we  can  easily 
establish  a  correspondence  between  the  packets  sent 
and  the  packets  received  on  the  channel. 

(PL2)  For  every  packet  p,  there  is  at  most  one 
aend4>kt*-'(p)  event  in  0. 

The  next  property  asserts  that  no  single  packet 
is  received  more  than  once. 

(PL3)  For  every  packet  p,  there  is  at  most  one 
receive.pkt*''(p)  event  in  0. 

The  next  property  says  that  the  physical  layer 
only  deli>ers  packets  that  were  previously  sent. 

(PL4)  For  every  receive.pkt*'’'(p)  event  in  0,  there 
is  a  preceding  *end.pkt*  '{p)  event  in  0. 

The  next  is  the  FIFO  property.  It  says  that  those 
packets  that  are  delivered  have  their  reeeive.pkt 
events  occurring  in  the  same  order  as  their  aendjpkt 
events.  Note  that  (PL5)  may  be  true  even  if  a 
packet  is  delivered  and  some  packet  sent  earlier  is 
not  delivered;  there  can  be  gaps  in  the  sequence  of 
delivered  packets  representing  lost  packets. 

(PL5)  (FIFO)  Suppose  that  p  and  p'  are 
two  packets  such  that  the  events  x,-,  = 

aend^kt*'’'{p),  =  rectivt.pkt*'’‘(p),  x,-,  = 

rtceive.pkt*'^{j/)  and  x,^  =  reeeive.pkt*’''{]/) 
appear  in  0.  Then  t'l  <  ij  if  and  only  if  ij  <  u. 

*Ib  Seetioti  S,  w«  model  fonnally  the  '‘header”,  the  infor- 
matioD  in  a  packet  that  ie  used  bjr  a  data  link  lasrer  protocol, 
as  an  equivalence  class  to  which  the  packet  beltmss. 


So  far,  all  of  the  properties  listed  have  been  safety- 
properties.  The  final  property  is  a  liveness  property. 
It  says  that  if  a  channel  remains  active  and  repeated 
send  events  occur,  then  eventually  some  packet  is 
delivered. 


(PL6)  Starting  after  any  point  in  an  unbounded 
working  interval,  if  infinitely  many  send.pkt'  '' 
events  occur  after  that  point,  then  some 
receive -pkt*  ''  event  occurs  after  that  point. 


Notice  that  well-formedness,  (PLl)  and  (PL2)  are 
properties  that  can  be  guaranteed  by  the  environ¬ 
ment  that  supplies  inputs  to  the  physical  channel, 
while  (PL3)-(PL6)  are  properties  that  the  channel 
itself  can  enforce.  However,  we  only  ask  the  physi¬ 
cal  channel  to  enforce  them  when  the  environment 
plays  its  part,  by  providing  inputs  that  ensure  well- 
formedness,  (PLl)  and  (PL2).  If  the  environment 
violates  the  input  conditions,  e  g.,  if  send  events 
happen  outside  of  working  intervals,  then  the  speci¬ 
fication  does  not  constrain  the  behavior  of  the  phys¬ 
ical  channel.  Formally,  we  define  the  two  sched¬ 
ule  modules  PI*  '’  and  PL-FIFO’  ’’.  We  have  al¬ 
ready  defined  sig{PL*'')  and  sig(PL‘FIFO''').  Let 
»ched»{PL*  ’')  be  the  set  of  sequences  0  of  phys¬ 
ical  layer  actions  satisfying  the  condition  “if  0  is 
well-formed  and  satisfies  (PLl)  and  (PL2)  then  0 
satisfies  (PL3),  (PL4)  and  (PL6)”.  Similarly,  let 
$eheds{PL-FIFO*  ')  be  the  set  of  sequences  0  of 
physical  layer  actions  satisfying  the  condition  “if  0 
is  well-formed  and  satisfies  (PLl)  and  (PL2)  then  0 
satisfies  (PL3),  (PL4),  the  FIFO  condition  (PL5), 
and  (PL6)”. 

A  physical  channel  from  <  to  r  is  any  I/O  au¬ 
tomaton  that  solves  PL*'^.  A  FIFO  physical  chan¬ 
nel  from  t  to  r  is  any  I/O  automaton  that  solves 
PL-FIFOl''. 

In  a  “real-world”  implementation  of  a  physi¬ 
cal  channel  using  a  physical  transmission  medium, 
(PL6)  would  not  be  guaranteed  with  absolutely  cer¬ 
tainty,  but  rather  with  extremely  high  probability. 
It  seems  that  the  probability  could  be  sufficiently 
high,  however,  to  justify  our  decision  to  ignore  in 
the  formal  model  the  small  likelihood  that  no  pack¬ 
ets  ever  get  delivered  on  an  active  channel. 
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The  Data  Link  Layer 

The  data  link  layer  is  the  second  lowest  layer  in  the 
hierarchy,  and  is  implemented  using  the  services  of 
the  physical  layer.  Generally,  it  is  implemented  in 
terms  of  two  physical  channels,  one  in  each  direc¬ 
tion.  It  provides  a  reliable  one-hop  message  delivery 
service,  which  can  in  turn  be  used  by  the  next  higher 
layer. 

We  agaun  assume  that  there  are  two  endpoints, 
a  “transmitting  station”  and  a  “receiving  station” . 
The  data  link  layer  receives  messages  from  the 
higher  layer  at  the  transmitting  station,  and  deliv¬ 
ers  them  at  the  receiving  station.  The  data  link 
layer  guarantees  that  every  message  that  is  sent  is 
eventually  received,  assuming  that  the  underlying 
transmission  medium  remains  active.  Furthermore, 
the  order  of  the  messages  is  preserved. 

In  this  section,  we  give  a  specification  for  data 
link  layer  behavior,  as  a  parameterized  schedule 
module  DV'*' .  Let  M  be  a  fixed  infinite  alphabet 
of  “messages”.  The  action  signature  »ig{DL*'')  is 
illustrated  in  Figure  2.  and  is  given  formally  as  fol¬ 
lows. 

Input  actions: 

settdjnsg*’'(m),  m  €  M 

wake*'' 

fail*'' 

crash*'' 

wake''* 

fail'* 

crash'* 

Output  actions: 

receive.msg*''(m),  m  €  Af 


There  are  no 

internal  actions.  The  send.msg*''(m)  action  repre¬ 
sents  the  sending  of  message  m  on  the  data  link  by 
the  transmitting  station,  and  the  receive.msg*''(m) 
represents  the  receipt  of  message  m  by  the  receiving 
station.  The  wake*''  and  fail*''  actions  represent 
notification  that  the  transnnasion  medium  in  the  di¬ 
rection  from  t  to  r  has  become  active  or  inactive, 
respectively,  while  the  wake'-*  and  faiT-*  actions 
represent  similar  notification  for  the  transmission 
m^ura  in  the  direction  from  r  to  t.  The  crash*'' 
and  crash''*  actions  represent  notification  that  the 
ttaasmitting  or  receiving  station,  respectively,  has 


sendjmsg' 


..,r 


wake'’' 

fail*' 

crash*'' 


DL 


t.r 


wake'* 

fail'* 

crash'’* 


J 


receive  jnsg*' 


Figure  2:  The  Data  Link  Layer 


suffered  a  hardware  crash  failure.  We  will  often  re¬ 
fer  to  the  actions  in  acts{DL*'')  as  data  link  layer 
actions. 

In  order  to  define  the  set  scheds(DL*''),  we  define 
a  collection  of  auxiliary  properties  of  sequences  of 
data  link  layer  actions.  Let  /3  cs  xiT2...  be  a  (finite 
or  infinite)  sequence  of  data  link  layer  actions.  We 
define  properties  for  0. 

We  define  a  transmitter  crash  interval  in  to  be 
a  maximal  contiguous  subsequence  not  containing  a 
crash*''  event,  and  similarly  a  receiver  crash  inter¬ 
val  in  ^  to  be  a  maximal  contiguous  subsequence  not 
containing  a  crash''*  event.  We  say  that  0  is  well- 
formed  provided  that  the  following  two  conditions 
hold.  First,  in  any  transmitter  crash  interval  in 
0,  the  fail*''  and  wake*  '  events  alternate  strictly, 
starting  with  wake*'' .  Second,  in  any  receiver  crash 
interval  in  0  the  faiT'*  and  wake''*  events  alter¬ 
nate  strictly,  starting  with  wake''* .  Thus,  for  each 
direction  of  the  underlying  transmission  medium, 
there  are  repeated  alternating  notifications  that  the 
transmission  medium  is  active  and  inactive,  with 
crashes  serving  as  delimiters  between  sequences  of 
wake  and  fail  events. 

If  /(?  is  a  well-formed  sequence  of  data  link  layer 
actions,  then  a  transmitter  working  interval  in  0  is 
the  subsequence  of  0  from  any  wake*''  event  until 
the  next  fail*  '  or  crash*  '  event,  or  until  the  end 
of  0  if  there  are  no  later  fail*''  or  crash*''  events, 
not  including  the  given  wake*  ',  fail*  '  or  crash*  ' 
events.  If  0  has  a  wake*''  event  with  no  later  fail*  ' 
or  crash*''  event,  then  the  suffix  of  0  starting  after 
the  wake*''  event  is  called  an  vnbonnded  transmit¬ 
ter  working  interval  We  give  analogous  definitions 
for  receiver  working  interval  and  vnbonnded  receiver 


working  interval. 

Now  we  define  the  following  properties,  (DLl)- 
(DL7),  of  well-formed  sequences  0  of  data  link  layer 
actions.  The  first  property  says  that  there  is  even¬ 
tual  consistency  in  the  notifications  that  occur  at 
both  ends  of  the  link,  about  the  status  of  the  un¬ 
derlying  transmission  medium.  That  this  property 
holds  is  a  reasonable  assumption,  for  example,  in 
the  usual  case  where  the  same  hardware  is  used  for 
the  transmission  medium  in  both  directions. 

(DLl)  There  is  an  unbounded  transmitter  work¬ 
ing  interval  in  0  if  and  only  if  there  is  an  un¬ 
bounded  receiver  working  interval  in  0. 

The  next  five  properties  are  analogous  to  proper¬ 
ties  already  defined  for  the  physical  layer. 

(DL2)  Every  aendjntg*  ’^  event  occurs  in  a  trans¬ 
mitter  working  interval  in  0. 

(DL3)  For  every  message  m,  there  is  an  most  one 
send.msj*’'(m)  event  in  0. 

(DL4)  For  every  message  m,  there  is  an  most  one 
reeeive,mag*'^(m)  event  in  0. 

(DL5)  For  every  reeeive.m$g*  '{m)  event  in  0, 
there  is  a  preceding  $endjmMg*'’‘(m)  event  in 

0. 

(Dt6)  (FIFO) 

Suppose  that  m  and  mt  are  two  messages  such 
that  the  events  v*,  =  tendjnag*  ’'{m),  tr,-,  = 
reeeive.mag*’’’ (m),  Vj,  =  tendjn»g*'''{m')  and 
=  receive.msg*'’'(m')  appear  in  0.  Then 
I'l  <  is  if  and  only  if  t}  <  14. 

The  remaining  two  properties  describe  ways  in 
which  the  data  link  layer  makes  stronger  guaran¬ 
tees  than  does  the  physical  layer.  The  first  of  these 
says  that  the  data  link  layer  does  not  lose  some 
messages  but  deliver  later  messages,  within  a  single 
transmitter  working  interval. 

(DL7)  Suppose  that  ir«  =  »endjm»g*'’'(m)  and 
*j  =  $endjnfug*''{m')  appear  in  the  same 
transmitter  working  interval  in  0  and  i  <  j.  If 
a  receive.msg*''{m')  event  appears  in  0,  then 
a  receivejmag*'^  {m)  also  appears  in  0. 

Finally,  we  have  the  data  link  layer  liveness  prop¬ 
erty.  It  says  that  all  messages  that  are  sent  are 


delivered  eventually,  provided  the  link  remains  ac¬ 
tive.  This  property  expresses  the  reliability  of  the 
message  delivery  guaranteed  by  the  data  link  layer. 

(DL8)  If  a  send.msg*'’' {m)  event  occurs  in  an 
unbounded  transmitter  working  interval  in  0, 
then  there  is  a  receive.msg*'''{m)  event  in  0. 

Now  we  can  define  the  schedule  module  DL''. 
We  have  already  defined  sig{DL*’').  Let 
scheds^DL*''')  be  the  set  of  sequences  0  of  data  link 
layer  actions  satisfying  the  condition  “if  0  is  well- 
formed  and  satisfies  (DL1)-(DL3)  then  0  satisfies 
(DL4)-(DL8)”. 

Although  the  schedule  module  DL*  ''  represents 
the  behavior  one  would  require  from  an  inter¬ 
esting  data  link  layer,  it  is  useful  for  us  to  de¬ 
fine  another  schedule  module  WDV'’’  represent¬ 
ing  weaker  requirements  on  data  link  behavior. 
Thus,  let  $ig(WDL*-^)  =  sig(DV’^),  and  let 
sched»{W DL*  '^)  be  the  set  of  sequences  0  of  data 
link  layer  actions  satisfying  the  condition  “if  0  is 
well-formed  and  satisfies  (DL1)-(DL3)  then  0  satis¬ 
fies  (DL4),  (DL5)  and  (DL8)”. 

Although  this  weaker  specification  is  less  inter¬ 
esting  than  DL*'’^  for  describing  properties  of  a 
useful  data  link  layer,  it  is  adequate  for  prov¬ 
ing  our  impossibility  results.  It  is  easy  to 
see  that  WDL*'^  is  a  weaker  specification  than 
DL*'\  i.e.,  that  achedaiDL*  ')  C  iched»{WDV'^). 
Thus,  any  automaton  that  solves  DL*’^  also  solves 
$ehed»{W DV’’),  so  that  the  impossibility  results 
we  obtain  for  solving  WDL*''"  inrunediately  im¬ 
ply  corresponding  impossibility  results  for  solving 

We  next  prove  a  simple  lemma  which  will  be  use¬ 
ful  later.  In  the  proof  of  this  lemma  we  illustrate 
the  way  properties  such  as  (DL1)-(DL8)  and  the 
basic  facts  about  the  I/O  automaton  model  can  be 
used  to  show  the  existence  of  fair  behaviors  of  an 
automaton  that  solves  the  specification  for  a  data 
link  layer. 

Lemma  4.1  Let  A  be  any  automaton  that  solvet 
WDL*’' ,  and  let  m  G  M.  Then  there  is  a  fair 
schedule  0  =  jrijr2...  of  A  such  that  beh{0)  = 
wake*’’  wake’’*  send  jnsg*’'  {Tn)receive.msg‘''  (m), 
jTj  =  wake*''  and  wj  =  wake''* . 

Proof:  Since  the  wake  actions  are  inputs  of  A, 
the  sequence  7  =  wake*’' wake'"* send jnsg*'' (m) 


is  a  finite  schedule  of  .4.  By  Lemma  2.1,  there 
is  a  fair  schedule  ;3  of  A  that  extends  7  and 
that  includes  no  input  events  of  A  except  those 
in  7.  We  claum  that  beh(0)  must  be  the  sequence 
wake* ’’‘wake’"'*  send  jm$g*‘’'{m)receive.msg‘'''{m). 

First,  note  that  beh{0)  is  well-formed  and  sat¬ 
isfies  (DLl),  (DL2)  amd  (DL3),  since  beh(y)  has 
these  properties  and  they  are  only  depend  on  the 
sequence  of  inputs  to  A.  Since  A  solves  WDL*-', 
beh{0)  also  satisfies  (DL4),  (DL5)  and  (DL8).  Since 
behfP)  only  extends  beh(y)  with  output  actions, 
only  receive. pkt*  ''  actions  appear  in  the  suffix. 

Since  the  action  send-msj‘''‘(m)  occurs  in 
an  unbounded  transmitter  working  interval  in 
0,  property  (DL8)  implies  that  the  action 
receive.msg*'’'{m)  appears  in  0.  Then  (DL4) 
and  (DL5)  imply  that  r«ceii;e.ms9‘''‘(m)  can  only 
appear  once,  and  that  no  other  receive. msg*'' 
event  can  appear.  It  follows  that  beh{0)  is 
vuake*''  wake’^''  send.msg'’'  (rn)receive.msg‘''  (m). 

a 

5  Data  Link  Implementation 

In  this  section,  we  define  a  “data  link  protocol”, 
which  is  intended  to  be  used  to  implement  the  data 
link  layer  using  the  services  provided  by  the  phys¬ 
ical  layer.  A  data  link  protocol  consists  of  two  au¬ 
tomata,  one  at  the  transmitting  station  and  one  at 
the  receiving  station.  These  automata  communi¬ 
cate  with  each  other  using  two  physical  channels, 
one  in  each  direction.  They  also  communicate  with 
the  ouUide  world,  through  the  data  link  layer  ac¬ 
tions  we  defined  in  the  previous  section. 

Figure  3  shows  how  two  protocol  automata  and 
two  physical  channels  should  be  connected,  in  a 
data  link  implementation. 

5.1  Data  Link  Protocols 

Let  t  and  r  again  be  nunes  (for  the  transmitting  and 
receiving  station  respectively).  Then  a  iransmtUing 
automaton  for  (t,  r)  is  any  I/O  automaton  having 
the  following  external  action  signature. 

Input  actions: 

send.msg*  ’'(m),  m  £  M 
receive.pkt'‘{p),  p^  P 
wake*'’’ 


Figure  3:  A  Data  Link  Implementation 

fail*'- 

crash*’’ 

Output  actions; 

send.pkt*  '‘(p),  p  €  P 

In  addition,  there  can  be  any  number  of  internal 
actions.  That  is,  a  transmitting  automaton  receives 
requests  from  the  environment  of  the  data  link  layer 
to  send  messages  to  the  receiving  station  r.  It  also 
receives  packeU  over  the  physical  channel  from  r. 
Moreover,  it  receives  notification  of  the  status  of 
the  physical  channel  from  t  to  r,  and  notification  of 
crashes  at  the  transmitting  station.  It  sends  packets 
to  r  over  the  physical  channel  to  r. 

Similarly,  a  receiving  automaton  for  (t,  r)  is  any 
I/O  automaton  having  the  following  external  signa¬ 
ture. 

Input  actions: 

receive.pkt*’’'(p),  pS  P 

wake’* 

fail’* 

crash’'* 

Output  actions: 

send.pkt’'*{p),  p  G  P 


receive.msg'  ''(m),  m  €  M 


Again,  there  can  also  be  any  number  of  internal 
actions.  That  is,  a  receiving  automaton  .eceives 
packets  over  the  physical  channel  from  t.  Moreover, 
it  receives  notification  of  the  status  of  the  physical 
channel  from  r  to  t,  and  notification  of  crashes  at 
the  receiving  station.  It  sends  packets  to  t  over  the 
physical  channel  to  t,  and  it  delivers  messages  to 
the  environment  of  the  data  link  layer. 

A  data  link  protocol  is  a  pair  {A*,  A'),  where  A* 
is  a  transmitting  automaton  and  A**  is  a  receiving 
automaton. 

5.2  Correctness  of  Data  Link  Proto¬ 
cols 

Now  we  ue  ready  to  define  correctness  of  data  link 
protocols.  Informally,  we  say  that  a  data  link  proto¬ 
col  is  “correct”  provided  that  when  it  is  composed 
with  any  “correct  physical  layer”  (i.e.  a  pair  of 
physical  channels  from  t  to  r  and  from  r  to  t,  respec¬ 
tively),  the  resulting  system  yields  correct  data  link 
layer  behavior.  This  reflects  the  fundamental  idea 
of  layering,  that  the  implementation  of  one  layer 
should  not  depend  on  the  detaib  of  the  implementa¬ 
tion  of  other  layers,  so  that  each  layer  can  be  imple¬ 
mented  and  maintained  independently.  Formally, 
we  say  that  a  data  link  protocol  (A*,  A”)  is  correct 
provided  that  the  following  is  true.  For  all  €*•'  and 
C”'*  that  are  physical  channels  from  t  to  r  and  from 
r  to  t,  respectively,  hide^{D)  solves  DL*'^ ,  where  D 
is  the  composition  of  A‘,  A”,  CT*'”  and  C”'*,  and  ♦ 
is  the  subset  of  acts(Z7)  consisting  of  oendjpkt  and 
receive.pkt  actions. 

As  mentioned  earlier,  our  impossibility  results 
can  be  proved  for  weaker  data  link  requirements. 
Thus  we  also  define  weak  correctness  for  data  link 
protocols.  This  is  defined  exactly  as  for  correctness, 
except  that  hideai(D)  is  required  to  solve  WDL*-' 
instead  of  DL*''.  Obviously,  any  correct  data  link 
protocol  is  also  weakly  correct. 

We  also  define  what  it  means  for  a  data  link  pro¬ 
tocol  to  be  correct  with  respect  to  FIFO  physical 
channels;  again,  this  is  defined  exactly  as  for  cor¬ 
rectness  except  that  CT*  '’  and  C-*  are  restricted  to 
range  over  only  FIFO  physical  channels  from  t  to  r 
and  from  r  to  t,  respectively,  rather  than  over  arbi¬ 
trary  physical  channels.  Finally,  we  define  a  notion 


of  weak  correctness  with  respect  to  FIFO  physical 
channels,  for  data  link  protocols.  This  is  defined  ex¬ 
actly  as  for  correctness  with  respect  to  FIFO  phys¬ 
ical  channels,  except  that  hide^(D)  is  required  to 
solve  WDL*'’’  instead  of  DL*’'' . 

Obviously,  any  data  link  protocol  that  is  cor¬ 
rect  with  respect  to  FIFO  physical  channels  is  also 
weakly  correct  with  respect  to  FIFO  physical  chan¬ 
nels.  Also,  any  data  link  protocol  that  is  correct 
(resp.  weakly  correct)  is  also  correct  (resp.  weakly 
correct)  with  respect  to  FIFO  physical  channels. 

5.3  Constraints  on  Data  Link  Proto¬ 
cols 

In  this  subsection,  we  define  several  constraints  we 
wish  to  consider  for  data  link  protocols. 

5.3.1  Message-Independence 

Most  data  link  protocols  in  the  literature  are 
“message-independent”  in  the  sense  that  the  pro¬ 
cessing  done  by  the  protocols  does  not  depend  on 
the  contents  of  messages  submitted  by  the  environ¬ 
ment.  The  data  link  protocol  might  break  up  a 
message  into  packets,  and  might  construct  header 
information  to  add  to  packets,  but  does  not  typi¬ 
cally  carry  out  drastically  different  processing  based 
on  the  specific  contents  of  messages.  This  is  often 
expressed  by  saying  that  the  data  link  layer  treats 
messages  (which  in  fact  are  usually  structured,  in¬ 
cluding,  for  example,  headers  from  higher  layer  pro¬ 
tocols)  as  uninterpreted  data. 

We  model  message-independence  as  follows.  Let 
A  =  (A*,  A”)  be  a  data  link  protocol.  Let  =  be 
an  equivalence  relation  on  the  domain  M  KJ  P  O 
states(A* ) U states( A” ) U arts( A*) U art s( A” ) .  Then 
A  is  said  to  be  message-independent  with  respect  to 
the  equivalence  relation  =  provided  that  the  follow¬ 
ing  conditions  hold. 

1.  =  only  relates  elements  of  the  same  kind,  i.e., 
elements  of  M,  or  P,  or  s<afes(A*),  etc.  Also, 
a  start  state  cannot  be  related  to  a  non-start 
state.  Moreover,  if  a  =  a'  for  two  actions  a 
and  a',  then  a  and  a'  are  identical  except  pos¬ 
sibly  for  a  difference  in  their  message  or  packet 
parameter. 

2.  For  each  pair  m,  m'  of  messages,  m  = 
m',  send.msg*'’’ (m)  s  8end.msg''''(m'),  and 


receive.msg'  ’'{m)  =  receive.msg'  '{m'). 

3.  For  each  pair  p,p'  of  packets,  stndjpkt*'^(p)  = 

send.pkt*'’‘{p')  if  and  only  if  p  =  p', 

receive-pkt*'’'(p)  S  receive.pkt*'’'(p')  if  2md 
only  if  p  =  p',  aend.pkt'  *{p)  =  send.pkt'‘-*{p') 
if  and  only  if  p  =  p',  and  receive. pkt''-‘(p)  = 
receive. pkt'‘*(p')  if  and  only  if  p  =  p'. 

4.  For  every  two  states  q  and  q'  with  ?  =  4',  if 
action  a  is  enabled  in  q  then  there  is  an  action 
a'  with  a  =  o',  such  that  a'  is  enabled  in  q'. 

5.  Suppose  that  q  =  q'  and  a  =  a',  where  siction 
a  is  enabled  in  state  q  and  action  a'  is  enabled 
in  state  q'.  If  r  is  a  state  such  that  (q,a,r)  is 
a  step,  then  there  exists  a  state  r'  such  that 
r  s  r'  and  (q',a\  r')  is  a  step. 

We  say  that 

data  link  protocol  A  is  meaaage-tndependent  pro¬ 
vided  that  it  is  message-independent  with  respect 
to  some  equivalence  relation. 

For  a  data  link  protocol.  A,  that  is  message- 
independent  with  respect  to  an  equivalence  relation 
S,  we  define  the  set  header»(A,  =)  to  be  the  set  of 
equivalence  classes  of  packets.  Since  all  the  packets 
in  a  given  equivalence  class  are  treated  in  equiva¬ 
lent  ways  by  the  protocol,  we  can  think  of  them  as 
modelling  the  set  of  packets  that  contain  a  particu¬ 
lar  pattern  of  bits  in  the  data  link  layer  header.  We 
say  that  A  has  bounded  headers  if  header${A,  s)  is 
a  finite  set. 

Two  sequences,  x  =  xvX2  . . .  and  y  =  yiyj  . . .,  are 
said  to  be  equivalent  with  respect  to  =  if  |x|  =  |y| 
and  for  every  i,  Xi  =yi. 

5.3.2  Crstshing 

Here,  we  describe  a  “crashing”  property,  which  says 
that  a  crash  at  either  the  transmitting  or  receiving 
station  is  able  to  cause  the  corresponding  protocol 
automaton  to  revert  back  to  its  start  state  (thereby 
losing  all  processing  information  in  its  memory). 

We  say  that  a  transmitting  automaton  A  is  crash¬ 
ing  provided  that  there  is  a  unique  start  state 
Jo  nnd  (q,  crash* ’'jqo)  is  a  step  of  A,  for  every 
q  6  states{A).  Similarly,  we  say  that  a  receiving 
automaton  A  is  crashing  provided  that  there  is  a 
unique  start  state  qo  and  (q,crash''*,qo)  is  a  step 
of  A,  for  every  q  €  states{A).  A  data  link  protocol 
(A*,  A')  is  said  to  be  crashing  provided  that  A*  and 
A**  are  both  crashing. 


6  Specific  Physical  Channels 

Since  the  correctness  of  a  data  link  protocol  requires 
that  it  work  when  composed  with  any  physical  chan¬ 
nels,  we  are  able  to  prove  the  impossibility  of  a 
correct  protocol  satisfying  certain  requirements  by 
merely  demonstrating  that  no  such  protocol  works 
when  combined  with  a  specific  pair  of  physical  chan¬ 
nels.  In  this  section  we  introduce  the  channels  we 
will  use.  First  we  introduce  a  very  permissive  phys¬ 
ical  channel,  which  we  will  use  in  Section  8.  Then 
we  will  introduce  a  closely  related  FIFO  physical 
channel,  which  we  will  use  in  Section  7. 

6.1  A  Permissive  Physical  Channel 

We  begin  by  defining  a  particular  “very  permis¬ 
sive”  physical  channel.  This  channel  can  even  be 
considered  to  be  a  “universal  physical  channel” ,  in 
the  sense  of  Lemma  6.2  below.  This  channel  is  not 
FIFO,  and  in  Section  8  we  will  use  it  to  prove  that 
unbounded  headers  are  needed  in  a  protocol  that 
uses  this  channel. 

First,  we  define  a  set  S  of  ordered  pairs  of 
positive  integers  to  be  a  delivery  set  provided  that 
it  satisfies  the  following  two  conditions;  for  each 
positive  integer  j,  S  includes  a  unique  element  (i, ;), 
and  for  each  positive  integer  i,  it  includes  at  most 
one  element  (i,j). 

The  state  of  the  physical  channel  C”  ’’  has  two 
counters,  counteri  and  counter},  an  infinite  deliv¬ 
ery  set  5  of  pairs  of  non-negative  integers,  and  a 
partial  mapping  packet  from  the  set  of  positive  in¬ 
tegers  to  P.  The  counter  counteri  represents  the 
number  of  send.pkt*'’’  actions,  smd  counteri  repre¬ 
sents  the  number  of  receive.pkt*'''  actions,  that  have 
occurred  so  far.  The  set  S  determines  which  packets 
are  delivered,  and  in  what  order  -  it  contains  pairs 
{%,})  that  correlate  the  j-th  receiue.pJkt*-''  event 
with  the  »-th  send.pkt*  ’’  event.  Thus  the  restric¬ 
tions  in  the  definition  of  a  delivery  set  correspond 
to  the  requirements  that  a  packet  should  not  be 
delivered  unless  it  was  sent,  and  that  each  packet 
should  not  be  delivered  more  than  once.  The  map¬ 
ping  pocket  associates  with  an  integer  i  the  packet 
that  was  sent  in  the  i-th  send.pkt*’’'  event.  Initially 
counteri  and  counter}  are  zero  and  packet  is  un¬ 
defined  everywhere.  The  set  S  is  initialized  to  an 
arbitrary  delivery  set  (and  remains  fixed). 

When  a  send.pkt*’’' {p)  action  occurs,  the  counter 


counter^  is  incremented  by  one  and  paciket(t)  is  set 
to  p,  where  <  is  the  new  value  of  counter^.  The 
precondition  of  ree^ivt.pkt*'''{p)  is  that  there  exists 
i  such  that  pocfcet(i)  =  p  and  (i,counterj  -j-l)  6  5. 
The  effect  is  to  increment  counter^  by  one.  The 
fail,  wake  and  crash  actions  have  no  effect.  The 
partition  puts  all  the  output  actions  in  a  single  class. 
We  define  the  physical  channel  <?'■*  analogously. 

For  X  €  {fi  »■}  define  x  so  that  x  €  {f,  r}  and 

X  ^  X. 

Lemma  6<1  The  auiomaion  C*'*  is  a  physical 
channel. 

Proof:  We  must  show  that  fairbehs{C*'*)  C 
scheds(PL^'*).  Let  /?  be  a  fair  behavior  of  If 
0  is  either  not  well>formed  or  does  not  satisfy  (PLl) 
or  (PL2)  then  it  is  a  schedule  of  PL*  *,  since  there 
are  no  constraints  on  such  schedules.  So  suppose  0 
is  well-formed  and  satisfies  (PLl)  and  (PL2). 

Suppose  that  (PL3)  does  not  hold,  i.e.  there  is 
a  packet  p  for  which  two  receive.pki*  *{p)  events 
occur  in  0.  Let  ji  and  denote  the  number  of 
receive.pkt*'*  events  up  to  and  including  the  first 
and  second  reeeive^kt*'*(p)  respectively.  The  pre¬ 
condition  of  receive.pkt*‘*{p)  implies  that  tWe 
are  ii  and  t]  such  that  €  5  and 

the  t'l-th  and  tj-th  sendjpkt*'*  events  are  both 
send^kt*'*{p).  Since  5  is  a  delivery  set,  t'l  ^  13. 
This  contradicts  the  assumption  that  0  satisfies 
(PL2).  Therefore,  (PL3)  is  satisfied. 

One 

of  the  preconditions  of  the  y-th  reeeive.pki*'*(p) 
is  that  there  exists  i  such  that  packet(t)  =  p.  Thus 
the  t-th  send^kt*'*  event  in  0  in  send^kt*  *{p). 
Also,  the  receive.pkt*-*(j>)  occurs  after  paeket{i)  is 
defined,  i.e.  after  the  send^kt*'*(j>)  event.  This 
implies  that  (PL4)  is  satisfied. 

Suppose  that  0  has  an  unbounded  working  inter¬ 
val,  and  fix  a  point  in  that  interval  just  after,  say, 
the  k-th  event  in  0.  Suppose  that  infinitely  many 
sendjpklF'*  events  occur  after  the  given  point.  Let 
j  be  the  number  of  receivejpk^’*  events  in  up 
to  the  given  point.  Since  5  is  a  delivery  set,  there 
exists  t  such  that  (i,  y  -t>  1)  €  S.  Let  p  be  tbe  packet 
appearing  in  the  ith  send^kt*'*  event  in  0.  Then 
the  precondition  of  recefve.pkf*'*(p)  eventually  be¬ 
comes  true,  and  stays  true  until  the  action  occurs. 
Thus,  receiwe.pkf*-*(p)  appears  in  0,  sometime  af¬ 
ter  the  k-th  event.  Therefore,  0  satires  (PL6).  □ 


The  following  lemma  shows  that  C*  *  has  among 
its  behaviors  all  of  the  “sensible”  failure-free  sched¬ 
ules  of  the  specification  PL*'*. 

Lemma  6.2  Suppose  0  is  in  scheds(PL*'*),  and 
0  is  well-formed,  satisfies  (PLl)  and  (PL2).  and 
contains  no  fail*  *  or  crash*  *  events.  Then  0  g 
fairbehs(C**). 

We  can  combine  the  permissive  physical  chan¬ 
nels  with  an  arbitrary  data  link  protocol,  as  fol¬ 
lows.  If  A  is  a  data  link  protocol,  then  let  D(A) 
be  the  composition  of  A*,  A',  C*  ’’  and  C”"  '.  Also 
let  .D'(A)  =  hide^(D(A)),  where  ♦  is  the  subset  of 
aets{D{A))  consisting  of  send-pkt  and  receive.pkt 
actions. 

6.2  A  Permissive  FIFO  Physical 
Channel 

We  also  define  a  particular  permissive  FIFO  phys¬ 
ical  channel,  which  we  will  use  in  the  argument  of 
Section  7.  We  define  C*  ”  to  be  identical  to  €*•'  ex¬ 
cept  that  the  start  states  are  restricted  to  be  those 
in  which  the  delivery  set  S  is  monotone,  that  is, 
there  are  no  pairs  (ii,yi)  and  (I'r.y'z)  in  5  with 
»i  <  ii  and  ji  >  ji-  Similarly,  we  define  C’’  * . 

Since  every  finite  (resp.  fair)  execution  of  C*  ’’ 
is  also  a  finite  (resp.  fair)  execution  of  we  see 
that  6*'^  is  a  physical  channel.  The  restriction  on 
the  delivery  set  ensures  that  it  is  a  FIFO  physical 
channel. 

If  A  =  (A*,  A')  is  a  data  link  protocol,  let  D{A) 
be  the  composition  of  A’,  A',  C*  ’’  and  C’’*.  Also 
let  ^(A)  =  hide^(D{A))  where  $  is  the  subset  of 
acts(D(A))  consisting  of  sendjpkt  and  receive.pkt 
actions. 

0.3  Properties  of  the  Permissive 
Physical  Channels 

We  collect  here  some  simple  properties  of  the  chan¬ 
nels  just  defined,  for  use  in  ^tions  7  and  8. 

We  begin  this  subsection  with  a  useful  definition. 
Namely,  we  define  a  partial  function  del(S,{i,j)) 
that  takes  a  delivery  set  5  and  a  pair  (t,y)  C  5, 
and  returns  a  new  delivery  set  S'.  The  new  set  S' 
represents  the  result  of  deleting  the  given  pair  from 
the  set,  and  is  defined  as  follows.  (1)  For  every 
<  j,  («•'.;■')  6  S'  iff  (i',y')  €  s.  (2)  (i,y)  ^  S'. 


(3)  For  every  j'  >  j,  €  S'  iff  («', /  +  1)  € 

5.  We  extend  the  function  del  so  that  its  second 
argument  is  any  finite  subset  of  S  rather  than  just  a 
single  pair,  in  the  natural  way:  afe/(S,  A'(j{(i,i)})  = 
del(del(S,  X),  Notice  that  if  5  is  a  monotone 

delivery  set,  so  is  del{S,  X). 

We  say  a  state  of  C*  *  or  C*-*  is  clean  if  (i)  S 
does  not  contrun  any  pair  (t,j)  with  t  <  counteri 
and  j  >  caunter2,  and  (ii)  S  contains  {counteri  + 
k,  counter^  +  k)  for  all  Jb  >  0.  The  intuition  is  that 
the  channel  is  empty,  and  from  now  on  will  act  FIFO 
with  no  losses.  The  next  lemma  is  proved  by  alter¬ 
ing  the  delivery  set  without  changing  those  pairs 
(i,j)  with  j  <  counter^. 

Lemma  6.3  If0  is  a  schedule  ofC*  *  (reap. 
then  there  is  a  state  s  (reap.  €*•*)  such  that 

(3  can  leave  (?*■*  (resp.  €*•*)  in  a  and  a  is  clean. 

If  s  is  a  state  of  (?*•*  or  C*'*,  we  say  that  a 
sequence  of  packets  Q  =  .  is  waiting  in 

a  state  a  if  for  all  /  such  that  1  <  I  <  k  there 
is  an  integer  t|  such  that  packei{ii)  =  qt  and 
(t|,coun<erj  -t- 1)  €  5  in  s. 

We  have  the  fundamental  property  that  a  channel 
can  deliver  a  sequence  of  packets  that  are  waiting 
in  its  state. 

Lemma  6.4  Let  a  he  a  state  ofC*‘*  (reap.  C*'*) 
and  Q  =  .  *  sequence  of  packets  such 

that  Q  is  waiting  in  a.  Then  there  is  an  erecu- 
tion  fragment  starting  with  state  a  with  schedule 
receive. pkt*'*{qi) . . . receive .pkt*'*{qi,). 

We  now  give  a  lemma  that  shows  that  certain 
schedules  can  leave  a  channel  in  a  state  where  pack¬ 
ets  are  waiting. 

Lemma  6.5  If0  is  a  schedule  ofC*  *  (reap.  C*'*) 
and  7  is  a  sequence  of  inpvf  actions  of  C*'*  (reap. 
C*'*)  such  that  Q  =  qiq^  ...qn  is  the  sequence  of 
packets  sent  in  y,  then  0y  is  a  schedule  of  C*  * 
(reap.  C*  *)  that  can  leave  C*'*  (reap.  C*'‘)  in  a 
state  in  which  Q  is  waiting. 

By  surgery  on  S  (using  the  del  function)  we  obtain 
the  following  lemma  which  expresses  the  ability  of 
the  channels  to  lose  any  packets  that  have  not  been 
delivered. 

Lenuna  6.6  If  0  is  a  schedule  ofC*  *  (reap.  C*  ‘) 
that  can  leave  ‘  (reap.  6*'*)  in  a  state  a  in 


which  Q  IS  waiting,  and  Q'  is  a  subsequence  of  Q, 
then  there  is  a  state  s'  such  that  0  can  leave  ^ 
(reap.  C*'*)  in  s'  and  Q'  is  watting  in  s' . 

We  have  an  extra  result  for  the  non-FIFO  chan¬ 
nels.  We  say  that  a  packet  p  is  in  transit  from 
z  to  X  in  a  sequence  0  of  actions  provided  that 
sen</^hl*'*(p)  occurs  in  0  and  receive.pkt^*{p) 
does  not  occur  in  0.  We  have  the  result  that  any 
sequence  of  packets  in  transit  can  be  waiting  in  the 
channel. 

Lemma  6.7  Let  0  be  a  schedule  of  €*•* ,  and  Q  a 
sequence  of  distinct  packets.  If  each  packet  in  ike 
sequence  is  in  transit  from  z  to  x  in  0,  then  3  can 
leave  (?*■*  in  a  state  a  such  that  Q  is  waiting  in  s. 

7  Tolerating  Host  Crashes 

In  a  data  link  protocol  a  useful  property  would  be 
the  ability  of  the  protocol  to  tolerate  a  host  crash. 
A  host  crash  causes  all  the  memory  at  the  host  to 
be  lost.  (In  our  model  this  is  reflected  by  setting 
the  state  of  the  automaton  in  that  host  to  its  distin¬ 
guished  initial  state.)  Baratz  and  Segall  [BS83]  con¬ 
jectured  that  no  such  protocol  is  possible.  The  link 
initialisation  protocol  of  [BS83J  cannot  tolerate  host 
crashes  as  we  have  defined  them.  However  if  there  is 
a  single  non-volatile  bit  (a  bit  that  is  not  reset  dur¬ 
ing  the  host  crash)  the  [BS83]  protocol  is  correct. 
We  prove  that  no  message-independent  data  link 
protocol  can  tolerate  arbitrary  host  crashes  (with¬ 
out  access  to  non-volatile  memory). 

The  essense  of  our  proof  is  to  take  a  data  link 
protocol  that  is  alleged  to  be  crashing,  message- 
independent  and  weakly  correct,  and  to  find  two 
executions  of  the  system  that  leave  the  transmit¬ 
ting  and  receiving  automata  in  equivalent  states,  al¬ 
though  in  one  every  message  has  been  delivered  and 
in  the  other  there  is  an  undelivered  message.  The 
protocol  must  eventually  deliver  the  missing  mes¬ 
sage  in  any  fair  extension  of  the  second  execution, 
even  if  no  more  inputs  arrive  from  the  environment. 
An  equivalent  extension  of  the  first  execution  will 
cause  some  message  to  be  delivered,  although  ev¬ 
ery  message  sent  had  already  been  delivered.  This 
contrsMlicts  the  claimed  correctness  of  the  protocol. 

Recall  that  for  x  e  {t,r}  we  define  x  so  that 
X  6  {t,  r}  and  x  x,  and  we  define  ^(A)  to  be 
the  result  of  composing  data  link  protocol  A  with 


the  permissive  FIFO  physics!  channels  C*  '’  and  C’’  * 
and  then  hiding  the  sending  and  receiving  of  pack¬ 
ets.  For  a  =  so^isi  ■ .  rnSn  &  finite  execution  of 
lyiA)  and  k  an  integer  with  0  <  k  <  n  let  us  de¬ 
fine  the  following:  inA(a,x,k)  is  the  sequence  of 
packets  received  by  A*  during  the  first  k  steps  of  or; 
ou(4(a,  X,  k)  is  the  sequence  of  packets  sent  by  A‘ 
during  the  first  k  steps  of  a;  stnfexCo.x.k)  is  the 
state  of  A*  in  Sk\  actS4(a,x,k)  is  the  sequence  of 
actions  of  A*  during  the  first  k  steps  of  a. 

We  now  state  the  main  lemmas  we  will  use  to 
prove  the  result  of  this  section. 

The  first  lemma  shows  that  one  can  modify  the 
suffix  of  am  extension  of  one  execution  to  give  an 
extension  of  another,  if  the  two  executions  end 
with  the  data  link  protocol  automata  in  equivalent 
states.  This  modification  may  alter  states  amd  ac¬ 
tions,  but  only  into  equivalent  states  and  actions. 
This  lemma  can  be  proved  by  an  easy  induction  on 
j,  using  the  definition  of  message-independence. 

Lemma  7.1  Let  A  —  (A*,  A')  be  a  meseage- 
independent  data  link  protocol.  Let  a  = 
ooXtSi . .  .T„Sn  and  a  s  iojtiSi . .  .»*<»  be  finite 
ezeeutione  of  ^(A)  with  the  following  properties: 
*tateji(a,z,n)  ~  stateA(a,z,k)  for  z  ^  and 

in  both  s„  and  s‘k ,  both  physical  channels  are  clean. 

Suppose 

«i  =  is  a  fi¬ 

nite  execution  of  ^{A)  that  is  an  extension  of 
a.  Then  there  exists  a  finite  execution  oj  = 
soXiSi . . .  S'nSnS'n+iSn+i . . .  that  is  an  ex¬ 

tension  of  a  such  that  for  all  j  with  I  < 

J  <  •>  **+>  =  s'n+7  and  stateA(cs,x,n  +  j)  = 
siateAia,  x,k  +  j)  for  x  €  {«,  r}. 

The  next  lemma  will  be  crucial  in  the  inductive 
proof  of  Lenuna  7 .3.  Speaking  informally,  we  use 
it  to  ‘^ump  up”  the  sequence  of  packets  wanting  in 
the  channels,  as  illustrated  in  Figure  4.  If  a  schedule 
can  leave  the  system  so  that  waiting  in  one  phys¬ 
ical  channel  is  a  sequence  of  packets  equivalent  to 
the  packeU  delivered  across  that  channel  in  a  ref¬ 
erence  execution,  then  we  can  extend  the  schedule 
by  crashing  the  destination  host  amd  replaying  that 
boat’s  part  of  the  reference  execution,  and  this  can 
leave  the  system  so  that  a  sequence  of  packets  is 
waiting  in  the  other  physical  channel,  equivalent  to 
the  packets  sent  by  the  host  in  the  reference  execu¬ 
tion. 


^  7 


Lemma  7.2  Let  A  =  {A',  A*)  be  a  message- 
independent,  crashing  data  link  protocol.  Let  a  = 
SQWiSi  ...w„Sn  be  an  execution  of  fy(A)  such  that 
xi  =  wake*’',  xj  =  wake''*  and  no  wake,  fail  or 
crash  events  occur  in  X3  . . .  x„.  Suppose  x  6  {f ,  r}, 
k  is  an  integer  with  2  <  k  <  n  and  0  is  a  finite 
schedule  of  D^{A)  with  the  following  properties: 

1.  beh{0)  is  well-formed,  satisfies  (DL1)-(DL3), 
and  contains  unbounded  transmitter  and  re¬ 
ceiver  working  intervals,  and 

2.  0  can  leave  iy{A)  in  a  state  where  the  state  of 
A*  is  s,  and  a  sequence  of  distinct  packets 
is  waiting  in  the  state  of  C*'*  such  that  Q  = 
104(0,  x,k). 

Then  there  is  a  sequence  y  of  actions  of  A*  with  the 
following  properties: 

1.  0y  is  a  finite  schedule  of  Ly(A), 

2.  beh(0y)  is  well-formed,  satisfies  (DLl)-(DLS) 
and  contains  unbounded  transmitter  and  re¬ 
ceiver  working  intervals, 

S.  7  5  crosh*’*acts4(o,x,fc),  and 

4.  0y  can  leave  D'{A)  in  a  state  where  the  state 
of  A*  is  s,  the  state  of  A*  is  s'  such  that  s'  = 


stateji{a,x,k),  and  a  sequence  Q'  of  disUnct 
packets  is  waiting  in  the  state  ofC^'*  such  that 
Q'  = 

Proof:  As  notation,  let  (soTiSi  •  = 

to^iti  so  =  actSA(a,x,k), 

ti  =  states  (o,  X,  k),  the  sequence  of  packets  sent  in 
01 . .  .^1  is  out^(a.x,jfe)  and  the  sequence  of  pack¬ 
ets  received  in  is  mx(a,x,k).  Also  let 

Q  =  qr- 

First  we  construct  inductively  an  execution  di 
of  A*.  To  begin,  let  sjjXjSj  be  some 

execution  of  A*  with  schedule  I3\A*-,  such  an  ex¬ 
ecution  exists  because  0\A*  is  a  schedule  of  A* 
by  Lemma  2.2.  Put  Xj  =  crash*  *  and  put  sj  = 
to,  the  initial  state  of  A*.  Since  A*  is  crashing, 
(sj_i,  »J,sJ)  is  a  step  of  A*.  Put  1r^^^l  =  wake*'*  = 
01  and  =  <1.  Then  (*> .  »j+i,  sj+i)  i«  »  step  of 
A*  since  (to,0i,<i)  is. 

So  suppose  that  we  have  so  far  constructed 
So"!*!  •  •  •  *J+tSj+t  for  i  such  that  1  <  i  <  /,  so 
that  =  ti.  We  show  how  to  define  and 

then  how  to  define  Sy.j.i.,.1. 

1.  If  0<+i  =  receit)e.pk<*-*(p)  then  put  »^+j+i  = 
receive.pkt*'*(qit)  where  h  is  chosen  so  that 
01+1  is  the  h-th  reeeive.pkt*‘*  event  in  a.  By 
the  assumption  that  Q  s  m>i(a,x,h),  we  have 
’’’i-fi-t-i  =  Since  the  automaton  is  input- 
enabM,  x^.i.j.«.i  is  enabled  in 

2.  If  01+1  =  sendjmsg*'* {m)  (which  can  only 
happen  if  x  =  t)  then  put  x^+i+i  = 
s«ndjnsy‘'’(m')  where  m'  is  any  message 
such  that  sendjnsg*'’'  {m')  does  not  occur  in 

This  is  possible  by  the  as¬ 
sumption  that  there  is  an  infinite  alphabet 
of  messages.  By  the  assumption  of  message- 
independence,  x^+i+i  s  0<+i.  Since  the  au¬ 
tomaton  is  input-enabled,  x^+i+i  is  enabled  in 

3.  If  0i+i  is  a  locally  controlled  action  of  A’  then 

let  be  a  locally  controlled  action  that 

is  enabM  in  s<+i  such  that  x^+i+i  s  0,+i. 
This  is  possible  by  the  assumption  of  message- 
independence,  since  *}+<  *  *<  and  01+1  is  en¬ 
abled  in  fi. 

By  the  assumption  that  0i+i  is  not  a  wake,  fail  or 
crash  event,  these  exhaust  the  possibilities.  Now 
choose  sj+i+i  so  that  (<j+itxj+j+i,sj+i+i)  is  a 


step  of  and  s'+.+i  =  ti+i,  which  is  possibl. 
by  the  assumption  of  message-independence,  since 
(tt,0i+i.<i+i)  is  n  step  of  A*  and  was  >  lu)- 

sen  in  every  case  to  ensure  that  it  was  equivalent  (o 
01+1  and  enabled  in 

Completing  the  construction  above  gives  a  fi¬ 
nite  execution  di  =  sqXi  . . .  of  A*.  Let 

7  =  x'x^^i . .  By  the  construction  we  see 

7  =  crash* •* ■  -di  =  crash*'*actsA{oi,x,k). 
Since  beh(0)  is  well-formed,  and  7  begins  with 
crash*'* wake*'*  and  contains  no  subsequent  crash, 
wake  or  fail  events,  we  see  that  beh{0'y)  is  well- 
formed.  Similarly  beh(l3y)  satisfies  (DL1)-(DL3) 
and  contains  unbounded  transmitter  and  receiver 
working  intervals. 

Now  /?7|A*  is  just  XjXj  . .  xj^,,  so  /?7  is  a  fi¬ 
nite  schedule  of  A*  that  can  leave  A*  in  a  state 
sl+,  =  1/  =  stateA(oi,x,  k).  Also  /J7IA*  is  just 
/j\A*  which  is  a  finite  schedule  of  A*  that  can 
leave  A*  in  state  s.  Now  y\C*'*  is  by  construction 
receivejpkt*'*{qi) . . .  receive jpkt*  * {qi>)  and  since  0 
can  leave  A*  in  a  state  where  Q  is  waiting  in  C*'* 
we  see  by  Lemma  6.4  that  ^7|C*'*  is  a  finite  sched¬ 
ule  of  C*'* .  Finally  ‘t\C*'*  consists  of  crash*  *  fol¬ 
lowed  by  a  sequence  of  send^ikt*  *  actions  which  is 
equivalent  to  to  the  sequence  of  send.pkt*  *  actions 
in  010J  .  .  .0J.  By  Lemma  6.5,  0yfC*'*  is  a  finite 
schedule  of  C*'*  that  can  leave  C*  *  in  a  state  in 
which  a  sequence  Q'  of  packets  is  waiting,  where  Q' 
is  equivsdent  to  outA(a,  x,  k). 

Now  we  apply  Lenuna  2.3  to  deduce  that  /?7  is  a 
finite  schedule  of  ^(A)  that  can  leave  ^(A)  in  a 
state  where  the  state  of  A*  is  s,  the  state  of  A*  is 
equivalent  to  statex(a,  x,  k)  and  a  sequence  equiva¬ 
lent  to  outA(a,  X,  k)  is  waiting  in  the  state  of  C*  *. 

a 

The  next  lemma  shows  that  we  can  find  an  execu¬ 
tion  that  ends  with  the  data  link  protocol  in  states 
equivalent  to  those  in  any  suitable  given  execution, 
but  with  a  sequence  of  packets  equivalent  to  those 
sent  in  the  original  execution  waiting  in  the  chan¬ 
nels. 

Lemma  7.3  Let  A  be  a  message-independent, 
crashing  data  link  protocol.  Let  a  =  sqXiSi  . . .  XnSn 
be  an  execution  of  L/(A)  such  that  Xi  =  wake^'’’, 
X]  =  wake’’''  and  no  wake,  fail  or  crash  events 
occur  in  xs . . .  x„ .  Suppose  k  is  an  integer  with 
2  <  k  <  n.  Let  X  denote  the  station  such  that 


»■*  €  act$(A*).  Then  there  ts  a  finite  schedule  3  of 
iy(A)  with  the  following  properties: 

1.  beh{3)  is  well-formed,  satisfies  (DLl)-(DLS), 
and  contains  unbounded  transmitter  and  re¬ 
ceiver  working  intervals,  and 

2.  0  can  leave  iy{A)  tn  a  state  where  the  state  of 
A*  is  equivalent  to  stateji{a,x,k),  the  state  of 
A*  is  equivalent  to  state and  a  se¬ 
quence  Q  of  distinct  packets  is  waiting  in  the 
state  ofC*  *  such  that  Q  s  <»ttj^{a,z,k). 

Proof:  Aflsume  inductively  that  we  have  proved 
the  lemma  for  all  smaller  values  of  k. 

If  all  the  actions  T3, . . . ,  are  in  aets(A‘),  then 
outji(a,x,k)  must  be  the  empty  sequence,  and 
therefore  we  deduce  that  inx(a,  x,  ib)  is  also  empty. 
Also  statCAia,  x,  k)  must  be  equal  to  statex(o.  x,  2) 
Thus  the  sequence  wake*  *  wake*  *  is  a  finite  sched¬ 
ule  of  iyiA)  with  well-formed  behavior  satisfying 
(DL1)-(DL3)  and  containing  unbounded  tranmitter 
and  receiver  working  intervals,  that  can  leave  A* 
in  state  stateAio,x,k)  with  a  sequence  equivalent 
to  inA{o,x,k)  waiting  in  €*■*.  We  can  therefore 
apply  Lemma  7.2  to  obtain  0. 

Otherwise  let  j  be  the  greatest  integer  such  that 
2  <  j  <  k  and  xj  6  aets{A*).  Then  inA(<s,x,k)  is 
a  subsequence  of  out^Ca.Xi;).  and  stateA{a,x,k) 
must  equal  state A{a,i,j).  By  using  the  assuined 
truth  of  the  lemma  for  the  smaller  value  j  we  get 
a  schedule  with  well-formed  behavior  satisfying 
(DL1)-(DL3)  and  containing  unbounded  transmit¬ 
ter  and  receiver  working  intervals  that  can  leave 
A*  in  state  equivalent  to  stateA{a,x,j)  with  a  se¬ 
quence  equivalent  to  outA(a,x,j)  waiting  in  €*■*. 
By  Lemma  6.6,  0i  can  also  leave  ty{A)  in  a  state 
with  A*  in  a  state  equivalent  to  $tateA{a,  x,j),  and 
with  a  sequence  equivalent  to  ^4(0,  x,  k)  waiting  in 
€*•*.  We  can  therefore  apply  Lemma  7.2  to  obtain 
0-  Q 

We  can  now  use  the  previous  lemma  to  find  a 
schedule  of  a  crashing  message-independent  data 
link  protocol  that  can  lead  to  states  equivalent  to 
those  at  the  end  of  a  given  execution,  but  in  which 
a  message  has  been  sent  but  not  received. 

Lemma  7.4  Let  A  =  (A*,  A*)  be  a  message- 
independent,  crashing  data  link  protocol.  Let  a  = 
soxisi . . .  WnS„  be  an  execution  of  D'(A),  such 
that  xi  =  wake*'*,  xj  =  wake*’*  and  beh(a)  = 


wake'  ''wake’'  ‘sendjnsg*'’'(m)receive.msg‘  ’’(m). 
Then  there  is  a  finite  schedule  0  of  D'(  A)  with  the 
following  properties: 

1.  beh{0)  is  well-formed  and  satisfies  (DLl)- 
(DLS), 

2.  beh{0)  ends  in  sendjnsg*'’'{rn\)  for  some  mi, 

5.  0  can  leave  ty{A)  in  a  state  where  the  state 
of  A*  is  equivalent  to  state A(a,t,n),  the  state 
of  A*  is  equivalent  to  stateA{oi,r,n),  and  the 
state  of  each  physical  channel  is  clean. 

Proof:  Let  n'  denote  the  greatest  integer  less  than 
or  equal  to  n  such  that  *■„<  €  actsiA*).  Lemma  7.3 
yields  a  finite  schedule  0'  of  ^(A)  with  the  fol¬ 
lowing  properties;  beh(0')  is  well-formed,  satisfies 
(DL1)-(DL3),  and  contains  unbounded  transmitter 
tmd  receiver  working  intervals,  and  0'  can  leave 
£y(A)  in  a  state  where  the  state  of  A*  is  equiv¬ 
alent  to  state A(oi,r,n'),  and  a  sequence  Q  of  dis¬ 
tinct  packets  is  waiting  in  the  state  of  C*  *  such 
that  Q  =  out4(a, r, n'). 

Since  the  sequence  104(0,  f,n)  is  a  subsequence 
of  out4(a,  r,  n'),  we  can  use  Lemma  6.6  to  see  that 
0'  can  also  leave  i)'(A)  in  a  state  where  the  state  of 
A*  is  equivalent  to  stot«4(o,  r,  n'),  and  a  sequence 
O'  is  waiting  in  the  state  of  C*  *  such  that  Q'  s 
104(0,  f,n). 

We  can  now  apply  Lentuna  7.2  to  obtain  a  se¬ 
quence  7  such  that  0^1  is  a  finite  schedule  of  ^(A), 
beh{0'y)  is  well-form^  and  satisfies  (DL1)-(DL3), 
7  =  crasf»‘''’ocfS4(o,t,n),  and  0'y  can  leave  0'(A) 
in  a  state  where  the  state  of  A*  is  equivalent  to 
stateA(o,r,  o')  and  the  state  of  A*  is  equivalent  to 
stateA(a,t,n).  By  using  Lemma  6.3  to  modify  the 
states  of  the  channels,  we  see  0'y  can  also  leave 
D'(A)  in  a  state  with  all  the  properties  listed  al¬ 
ready,  and  also  both  physical  channels  clean.  We 
put  0  =  0'y. 

We  now  note,  using  the  definition  of  o', 
that  sta(e4(o,r,  o')  =  etale4(o,  r,  o).  Since 

7  is  equivalent  to  crash*’* actSA(a,t,n)  and 
beh{actSA{.oi,t,n))  =  6e/i(o)|A',  we  have  that 
beh{0)  ends  ii.  crash* '* wake*'* send jnsg*'* {my)  for 
some  mi .  Since  beh(0)  is  well-formed  and  satisfies 
(DL1)-(DL3),  we  are  done.  □ 

Finally  we  can  use  the  results  above  to  prove  our 
impossibility  theorem. 


Theorem  7.5  There  u  no  data  link  protocol  that  m 
weakly  correct  with  respect  to  FIFO  physical  chan¬ 
nels,  and  M  message-independent  and  crashing. 

Proof:  Assume  that  A  =  (A‘,  A'^')  is  such  a  pro¬ 
tocol. 

First  we  observe  that  there  is  a  finite  execution 

a  =  SoriSi  .  .  .TnSn 

of  i)'(A)  with  the  following  properties:  6eh(or)  = 
wake*'''wake’‘'*  send.msg*  •'  ( m)recettie.ms  (m) 

for  some  m,  ti  =  wake*  ',  tj  =  wake'*,  and  in  Sn 
each  physical  channel  is  clean.  The  existence  of  such 
an  a  is  proved  by  using  Lemma  4.1  to  get  an  execu¬ 
tion  with  the  required  behavior,  truncating  it  after 
the  state  following  the  reeeive.msg*''(m)  event  (to 
make  it  finite),  and  finally  using  Lemma 6.3  to  alter 
the  component  of  each  state  of  each  physical  chan¬ 
nel,  without  altering  the  schedule,  so  as  to  leave  the 
physical  channels  clean. 

Next  we  appeal  to  Lemma  7.4  to  obtain  a  finite 
execution  d  =  soxiii . . .  *kSt  of  ^(A)  with  the 
following  properties:  beh(a)  is  well-formed,  satis¬ 
fies  (DLl)-(OL3),  ends  in  sendjmsg*  '(mi)  for  some 
mi,  stateA(a,x,k)  =  stateA(a,x,n)  for  *  €  {f,r}, 
and  each  physical  channel  is  clean  in  in  ■ 

By  Lemma  2.1,  there  is  a  fair  execution  of  ^(A) 
that  extends  d  and  contains  no  additional  inputs 
to  D'(A).  The  behavior  of  this  extension  is  well- 
formed  and  satisfies  (DL1)-(DL3)  since  beh{a)  has 
these  properties,  and  they  are  not  affected  by  out¬ 
put  actions.  Thus  the  behavior  of  this  exten¬ 
sion  must  satisfy  (DL8).  Since  send.msg*''{mi) 
is  followed  in  the  extension  by  no  input  action 
of  .^(A),  it  occurs  in  an  unbounded  transmit¬ 
ter  working  interval.  The  extension  therefore  con¬ 
tains  receiwe.msj‘’'’(mi)  by  (DL8).  Thus  the  suf¬ 
fix  of  the  extension  after  d  contains  at  least  one 
receive. nug*’'  event,  and  it  contains  no  input  ac¬ 
tions  of  ^(A).  Let  m]  be  the  message  parameter 
in  the  first  recetve.msp*-’’  event  in  the  suffix  of  the 
extension.  By  truncating  the  extension  after  this 
receive.i7ug*’'(m])  event,  we  obtain  a  finite  execu¬ 
tion  di  of  fy{A)  with  the  following  properties:  it  ex¬ 
tends  d,  and  beh(a\)  =s  beh(a)reeeive.msg*’' {Tn2). 

Applying  Lemma  7.1  to  the  executions  a,  a  and 
di,  we  deduce  the  existence  of  a  finite  execution 
ai  of  fy(A)  such  that  oi  extends  a  and  the  ac¬ 
tions  in  the  suffix  of  oi  after  a  are  equivalent  to 
those  in  the  sufiBx  of  di  after  d.  Thus  at  has  the 
following  properties:  it  extends  a,  and  beh(Qi)  = 


beh(a)receive.msg‘  ' [ms)  for  some  m3.  .Note  that 
beh(ai)  is  well-formed  and  satisfies  (DL1)-(DL3) 

Now  we  use  Lemma  2.1  to  get  a  fair  extension  of 
ai  with  no  additional  inputs.  This  extension  (whose 
behavior  is  well-formed  and  satisfies  (DL1)-(DL3)) 
contains  no  additionad  outputs  by  (DL4)  and  (DL3). 
Thus  this  fair  extension  has  behavior  equal  to 
beh(ai).  Thus  we  have  shown  that  the  sequence 
wake*''^wake''*sendjmsg*''(m)receive.msg*'(m) 
receive.msg*''(Tn3)  is  a  fair  behavior  of  D'(A). 

If  m3  ^  m  this  fair  behavior  does  not  satisfy 
(DL5),  since  it  contains  receive.msg*  '{m3)  but  no 
sendjnsg*''(m3).  If  ma  =  m  this  fair  behavior 
does  not  satisfy  (DL4)  since  it  contain  two  events 
sendjnsg*  '(m).  In  either  case,  since  the  fair  be¬ 
havior  is  well-formed  and  does  satisfy  (DL1)-(DL3), 
we  have  found  a  contradiction  with  the  assumption 
that  D'(A)  solves  WDL*  '.  O 


8  Using  Bounded  Headers 
With  Non-FIFO  Channels 

In  this  section,  we  consider  the  case  where  the  phys¬ 
ical  channel  need  not  be  FIFO;  non-FIFO  physi¬ 
cal  channels  make  the  design  of  data  link  protocols 
more  difficult  than  FIFO  physical  channels.  We 
show  that  it  is  impossible  to  have  a  weakly  cor¬ 
rect,  message-independent  data  link  protocol  that 
has  bounded  headers. 


8.1  ^-bounded  Protocols 

Our  impossibility  proof  requires  a  technical  restric¬ 
tion,  that  the  protocol  be  “fc-bounded” .  This  re¬ 
striction  means  that  for  any  message,  there  is  some 
execution  in  which  at  most  k  packets  are  used  to 
transmit  the  message.  Most  practical  protocols 
are  in  fact  1-bounded.  The  formal  definition  of 
k-boundedness  is  made  in  terms  of  the  permissive 
physical  channel  C*-'  defined  earlier. 

We  require  a  preliminary  definition.  Namely,  a 
sequence  of  data  link  layer  actions  0  is  valid  if  (1) 
0  is  well-formed,  (2)  0  satisfies  (DLl)  to  (DL5)  and 
(DL8),  and  (3)  a  wake  event,  but  no  fail  or  crash 
events,  occur  in  0. 

The  following  lemmas  give  basic  properties  of 
valid  sequences. 


Lemma  8.1  Let  0  be  a  valid  sequence  of  data 
link  layer  actions.  Let  m  be  a  message.  If 
send.msg*’'{m)  occurs  in  0  then  receive.m8g‘  ’'{m) 
occurs  in  0. 

Proof:  Suppose  s  sendjrnsg*-'{m)  occurs  in  0. 
By  (DLl)  the  send.Tnsg*‘^(m)  event  occurs  in  a 
transmitter  working  interval  in  0.  Since  there  are 
no  fail  or  crash  events  in  0,  this  working  in¬ 
terval  is  unbounded.  Since  (DL8)  is  satisfied,  a 
receive.msg*''  {m)  also  occurs  in  0.  O 

Lemma  8.2  Lei  0  be  a  valid  sequence  of  data 
link  lager  actions  and  let  m  be  a  message  suck 
that  sendjnsg*'^(m)  does  not  occur  in  0.  Then 
0sendjmsg*'' {m)reeeive.msg*'’' {m)  is  a  valid  se¬ 
quence. 

Recall  that  ^(^4)  =  hideoi£>(A)),  where  ^(^4) 
is  the  composition  of  i4‘,i4',  and  O'-*,  and  ♦ 
is  the  subset  of  acts(D(A))  consisting  of  send^kt 
and  recetve.pkt  actions. 

We  say  that  A  is  k-bounded  if  the  following  condi¬ 
tion  holds  for  every  finite  schedule  0  of  D^{A)  such 
that  beh(0)  is  valid,  and  for  every  message  m  such 
that  send.jTup‘'''(m)  does  not  occur  in  0:  there  is 
a  schedule  /J-y  of  ty{A)  such  that 

1.  beh{-j)  =  send.msg*''{m)receive.msg*'’'(m), 

2.  7  does  not  include  any  receive.pkt''''(p)  actions 
such  that  send^kt*‘''{p)  occurs  in  0,  and 

3.  the  number  of  receive. pkt*''  events  in  7  is  at 
most  k. 

Suppose  that  .^4  is  a  k-bounded  data  link  pro¬ 
tocol.  Let  be  a  finite  schedule  of  ly(A) 
such  that  beh(0)  is  valid  and  let  m  be  a  mes¬ 
sage  such  that  sendjmsg*''  (m)  does  not  occur  in 
0.  Then  define  packet  .set  A{m,  0)  to  be  the  set 
of  packets  received  from  (  by  r  in  some  par¬ 
ticular  7  such  that  /?7  is  a  schedule  of  5'(i4), 
=  sendjmsg*''{m)receive.msg*'''{m),  7 
does  not  include  any  recetve.pkt*''’(p)  actions  such 
that  send.pkt*’'(p)  occurs  in  0,  and  such  that  the 
number  of  receive.pkt*’'  events  in  7  is  at  most  k. 
Such  a  7  exists  by  the  definition  of  k-boundedness. 

8.2  The  Proof 

The  essence  of  this  section  is  to  take  a  sup¬ 
posed  message-independent,  k-bounded  weakly  cor¬ 
rect  data  link  protocol  with  bounded  headers,  and 


to  produce  a  schedule  in  which  every  message  sent 
has  been  delivered,  but  a  large  collection  of  packets 
is  in  transit,  in  fact,  a  collection  equivalent  to  the  set 
of  packets  which  can  be  used  to  transmit  a  new  mes¬ 
sage.  If  those  packets  in  transit  are  now  delivered, 
the  receiving  automaton  will  announce  delivery  of  a 
message  although  none  was  sent  that  has  not  been 
delivered  already,  contradicting  the  assumed  weak 
correctness  of  the  protocol. 

We  begin  by  defining  a  partial  order  between  sets 
of  packets,  with  a  parameter  k,  with  respect  to  an 
equivalence  relation  =,  in  the  following  way;  T<t  = 
T*  if:  (1)  T  C  T’ ,  and  (2)  there  exists  a  packet  p, 
such  that  p  sT' ,  p  ^  T  and  the  number  of  packets 
pf  €T  such  that  p  =  p'  is  less  than  k. 

When  the  equivalence  relation,  =,  is  clear  from 
the  context  we  use  the  notation  <t  for  <t,s. 

We  now  prove  the  crucial  inductive  step  that  we 
will  use  to  “pump  up”  the  collection  of  paurkets  in 
transit. 

Lemma  8.3  Let  k  be  an  integer.  Let  A  be  a  weakly 
correct  k-bounded  data  link  protocol  that  is  message- 
independent  with  respect  to  S.  Let  0  be  a  finite 
schedule  of  D'{A)  such  that  beh{0)  is  valid,  and  let 
T  be  a  set  of  packets  that  are  in  transit  in 
Then  at  least  one  of  the  following  holds. 

1.  There  exists  a 

message  m  such  that  sendjrnsg*  ’'{m)  does  not 
occur  in  0  and  there  is  s  one-to-one  mapping, 
f,  from  the  packets  in  packet.setA(m,  0)  to  the 
packets  in  T,  such  that  p  =  /(p)  for  all  p. 

S.  There  is  a  finite  schedule  0-f  of  D'{A)  such 
that; 

(a)  beh{0y)  is  valid, 

(b)  7  does  not  include  any  receive.pkt'-'' (p) 
action  such  that  send.pkt''’'(p)  occurs  in 
0,  and 

(c)  there  exists  a  set  7*  of  packets  in  transit 
in  0y\C*-'‘,  where  T  <k  T". 

Proof;  Fix  k,  A,  0  and  T  as  in  the  hypotheses.  Let 
m  be  any  message  such  that  sendjmsg'''’{m)  does 
not  occur  in  0.  Since  A  is  k-bounded,  there  exists 
a  sequence  71  such  that  0yx  »  a  schedule  of  ^(A), 
beh{yi)  =  sendjnsg*'’'{m)receive.msg'-'’(m),  71 
does  not  include  any  receive.pkt*-'’(p)  events  such 
that  send.pkt*‘''{p)  occurs  in  0,  and  the  packets  de¬ 
livered  from  f  to  r  in  7i  are  packet  jet  sim,  0)  and 


therefore  are  at  most  k  in  number.  It  follows  from 
Lemma  8.2  that  beh(0yi  )  is  valid. 

If  for  every  packet  p  in  packet there 
are  at  least  k  packets  p'  in  T  such  that  p'  =  p,  then 
by  standard  results  in  combinatorics  there  is  a  one- 
to-one  function  /  from  packets  in  packet  jet 
to  packets  in  T,  such  that  /(p)  =  p  for  all  p.  In  such 
a  case  (1)  holds. 

Otherwise,  we  can  find  some  packet  po  in 
packet  jet  such  that  there  are  fewer  than 

k  packets  p'  in  T  such  that  po  =  p'.  Since  yi  con¬ 
tains  receive.pkt*''' (po)  and  no  message  sent  in 
is  delivered  in  71,  7v  also  contains  sendjpkt*'’'(pQ). 
Let  p  denote  the  prefix  of  71  up  to  and  including 
send-pibt'''’(po).  We  claim  that  there  exists  a  se¬ 
quence  p  such  that  using  7  =  pp,  /?7  satisfies  (2). 

In  case  either  receive.mtg‘'’'(Tn)  is  in  p  or 
aendjnsg‘''’(m)  is  not  in  p,  p  can  be  taken  to  be  the 
empty  sequence.  (In  the  former  case,  Lemma  8.2 
implies  that  beh(0p)  is  valid.)  So  suppose  that 
send.mag‘'''(rn)  is  in  p  and  receivejmsg*-'{m)  is  not 
in  p. 

By  Lemma  6.3,  there  is  an  execution  a'  of  £y{A) 
such  that  sched(a)  =  0p  and  €*•'  is  clean  in  the 
final  state  of  a.  By  Lemma  2.1,  there  is  a  fair 
execution  a"  of  O' (A)  such  that  a"  extends  a'  and 
contains  no  input  events  of  ifiA)  except  those  in 
a'.  Let  beh(a")  ~  Upf/ .  Thus  l?pp'  is  a  fair  schedule 
of  iy{A). 

Since  A  is  weakly  correct  and  beh(0p(/)  is  well- 
formed  and  satisfies  (DL1)-(DL3),  befi{fipf/)  also 
satisfies  (DL8).  Since  aendjrnag*-^ {m)  occurs  in 
beh{0pf/),  (DL8)  implies  that  receive.mag*‘'{m) 
also  occurs  in  beh{0ppf).  Let  p  be  the  prefix  of 
p'  ending  with  receive.mag*  ' {m).  We  claim  that  p 
has  the  needed  properties. 

First,  since  every  message  sent  in  0  is  received  in 
0,  and  the  only  message  sent  in  p  is  m,  p  contains 
no  receive.mag'  ''  events  except  receive.msy‘’'’(m) 
by  (DL4)  and  (DL5).  Thus  beh(0pp)  = 
beh(0)aend.fn»g*-'{m)receive.m»g*''(m)  which  is 
valid  by  Lemma  8.2  Second,  since  p  is  the  schedule 
of  an  execution  fragment  that  begins  with  C*''  in  a 
clean  state  pp  does  not  include  any  recetve.pk(''’'(p) 
such  that  aend^kt*'''{p)  occurs  in  0.  Finally,  the 
choice  of  7*  =  TU  {po}  satisfies  the  third  claim.  □ 

Using  the  above  we  can  find  a  schedule  in  which 
every  message  sent  has  been  delivered,  but  where  a 
large  collection  of  packets  are  in  transit. 


Lemma  8.4  Let  k  be  an  integer.  Let  .4  =  (.4*.  .4'') 
be  a  weakly  correct  k~bounded  data  link  protocol  that 
is  message-independent  with  respect  to  =,  and  has 
bounded  headers.  Then  there  exist  a  finite  sched¬ 
ule  0  of  Efi A),  a  set  T  of  packets,  and  a  message 
m  such  that  the  following  conditions  are  true.  (1) 
beh{0)  is  valid,  (S)  every  packet  in  T  is  in  transit 
in  01C''’’,  (S)  send.msg‘'’'{rn)  does  not  occur  in  0, 
and  (4)  there  is  a  one-to-one  mapping,  f,  from  the 
packets  in  packet  jet  A(m,  0)  to  the  packets  in  T, 
such  that  p  =  /(p)  for  all  p. 

Proof:  Let  H  be  the  finite  set  headers{A.  =).  By 
the  definition  of  the  partial  order  <t.3,  the  maxi¬ 
mum  length  of  a  chain  of  sets  in  the  <k.s  order  is 
at  most  k  ■  |7f|. 

Starting  with  0\,  as  the  schedule  wake' wake’’'' , 
and  Ti  as  the  empty  set,  we  apply  Lemma  8.3  re¬ 
peatedly,  obtaining  0i  and  7),i  =  2,...,  as  long  as 
case  (2)  of  the  lemma  holds.  Since  the  construction 
insures  that  Ti  <k,m  Ti+i  for  all  i  >  1,  eventually 
case  (1)  of  Lemma  8.3  must  hold.  That  is,  for 
some  fixed  t,  is  a  schedule  of  £y{A),  all  pack¬ 
ets  in  the  set  7)  are  in  transit  in  0i,  and  beh(0i) 
is  valid;  moreover,  there  exists  a  message  m  such 
that  sendjmsg‘'''{m)  does  not  occur  in  0i  and  there 
is  a  one-to-one  mapping,  /,  from  the  packets  in 
packet  jet  A{tn,  0i)  to  the  packets  in  Ti,  such  that 
p  s  /(p)  for  all  p.  Taking  0  =  0i  yields  the  result. 

□ 

Now  we  use  the  schedule  given  by  the  previous 
lemma  to  prove  the  impossibility  result  of  this  sec¬ 
tion. 

Theorem  8.5  There  is  no  weakly  correct  data  link 
protocol  that  is  message-independent,  has  bounded 
headers,  and  is  k-bounded  for  some  k. 

Proof;  Assume  the  contrary,  and  let  A  = 
{A*,  A')  be  a  data  link  protocol  that  satis¬ 
fies  all  these  conditions.  Let  H  be  the  fi¬ 
nite  set  headers{A,s).  The  proof  is  done 
by  creating  a  schedule  of  Ly(A)  in  which,  for 
some  message  m,  either  receive.msg*''’(m)  appears 
twice,  or  a  receive.msg*’'‘{m)  occurs  although  a 
sendjmsg*’’'{Tn)  event  does  not  occur. 

Choose  m,  0  and  T  satisfying  Lemma  8.4. 
By  the  conclusions  of  that  lenuna  and  the  defi¬ 
nition  of  packet  jet  A,  there  exists  a  sequence  71 
of  actions  such  that  0yi  is  a  schedule  of  D'iA), 


=  send.msg*''(m)receive.mag‘‘'(m),  yi 
does  not  include  any  receive.pkt*'’'(p)  actions  such 
that  aend^kt*’'{p)  occurs  in  0,  all  the  packets  in  T 
are  in  transit  in  0,  and  there  is  a  one-to-one  map¬ 
ping,  /,  from  the  set  of  packets  delivered  at  r  in  71 
to  the  set  T  such  that  p  =  /(p)  for  all  p.  We  modify 
the  schedule  0‘fi  to  reach  the  contradiction. 

We  will  now  construct  a  sequence  7j  such 
that;  (1)  012  is  a  schedule  of  (2)  every 

receive.pkt*'’'{p)  action  in  72  has  a  aend.pkt*'’'(p) 
in  0,  and  (3)  72  is  equivalent  to  71  {A' . 

Let  a  be  an  execution  of  A'  such  that  ached(a)  = 
{01i)\A'.  We  first  construct  a  new  execution  a'  of 
A'  and  then  define  72  so  that  sched(a')  =  {0\A^)i7- 
The  construction  of  o'  is  done  by  induction 
on  the  lengths  of  prefixes  of  a.  Suppose  a  = 
sqS’iSi  -aj  and  let  a'  be  expressed  in  the  form 
a'  =  SgT^Si  ■  ■  s' .  For  each  i,  the  construction  will 
ensure  that  Si  S  s^  and  rt  =  ri  ' 

As  the  basis,  define  a  and  a'  to  be  identical  up  to 
and  including  the  state  just  after  the  portion  having 
schedule  0\A' .  Now  suppose  that  ■  ■  ■  af^  has 

already  been  defined  and  consider 
If  s'i.fi  is  a  reeeive^kt*''{p)  action,  then  de¬ 
fine  to  be  receive.p*t''''(/(p)).  By  assump¬ 
tion  on  /,  p  3  /(p),  so  that  receive.pkt*-'’(p)  = 
reeeive.pkt*''(f(p)),  i.e.,  x<+i  s 
If  iri4.i  is  a  locally-controlled  action  of  A',  then 
since  s<  =  s^  the  message-independence  assumption 
implies  that  there  is  an  action  equivalent  to 
that  is  enabled  in  sj;  let  ir<^i  be  this  action. 

Note  that  these  exhaust  the  possibilities  because 
6eh(7i|A'')  =  receive.mag*''(m),  so  Xj+i  cannot  be 
wake''*,  fair'*  or  eraah''*.  Having  defined  Vj+i, 
we  now  define  Sj.t.i.  Since  Si  =  sj  and  s  irj4.|, 
the  message-independence  assumption  implies  that 
there  is  a  state  a  such  that  a  s  ai^.i  and  (sj,  s) 
is  a  step  of  A'.  Let  sj^j  =  a.  This  completes  the 
construction  of  a'. 

Now  fix  72  so  that  aehed(a')  =  {0\A')‘n-  Then 
we  claim  that  72  has  the  required  properties.  Prop¬ 
erties  (2)  and  (3)  are  immediate  from  the  construc¬ 
tion,  as  is  the  fact  that  {^0ii)\A'  is  a  schedule  of 
A' .  By  construction,  no  action  in  72  is  in  acts(A'), 
>0  (0'n)\A*  =  0\Af  which  is  a  schedule  of  A*. 
Since  0]^’*  is  a  sdedule  of  O''*,  and  by  construc¬ 
tion  73 1^'*  is  just  a  sequence  of  aend^kt''*  actions 
which  are  inputs  to  CT'*,  we  deduce  that  {0yi)\C''* 
is  a  schedule  of  O''*.  Finally  notice  that  0\C*'' 


is  a  schedule  of  and  I2IC*'''  is  a  sequence  of 
receive. pkt*''  actions  for  packets  that  are  in  tran*:!! 
from  t  to  r  in  0.  By  Lemmas  6.7  and  6.4  (0i2)\C''' 
is  a  schedule  of  C*  '.  Then  Lemma  2.4  yields  Prop¬ 
erty  (1),  completing  the  proof  of  our  claim. 

Since  the  action  receive.mag*''{m)  occurs  in 
7iiA''  and  72  =  TilA’’,  there  is  some  message  m' 
such  that  the  action  receive.msg*'' {m')  occurs  in 
72.  Fix  m'  for  the  remainder  of  the  proof. 

By  Lemma  2.1  there  is  a  fair  schedule  0y2i3  of 
D'(A)  such  that  73  contains  no  inputs  to  .D'(A). 
This  has  behavior  that  is  well-formed  and  satis¬ 
fies  (DL1)-(DL3).  Since  beh(0)  is  valid,  for  every 
message  m,-  such  that  aendjmag*'' {mi)  occurs  in 
0,  the  event  receive. mag*'' (mi)  also  occur  in  3. 
The  action  receive.msg*'' {m')  appears  in  ^7273- 
If  the  Mtion  sendjmsg*''{m')  appears  in  3,  then 
a  receive.mag*  ' {m')  event  also  occurs  in  0,  so 
beh{0y2y3)  does  not  satisfy  (DL4).  On  the  other 
hand,  if  the  action  aend.mag*''  {m!)  does  not  appear 
in  0,  then  since  no  aend.mag*''  events  occur  in  7273, 
we  see  that  beh{0y3y3)  does  not  satisfy  (DL5).  Ei¬ 
ther  case  yields  a  contradiction  with  the  assumption 
that  ^(A)  solves  WDL*  '.  □ 

Note  that  the  execution  constructed  in  the  pre¬ 
ceding  impossibility  proof  did  not  include  any  fail 
or  crash  actions.  In  fact,  we  could  just  as  well  have 
proved  the  result  for  a  simpler  sort  of  data  link  layer 
specification,  not  including  fail  or  crash  actions  at 
all. 


9  Discussion 

The  formal  definitions  we  have  given  such  as 
“message-independence”  and  “having  bounded 
headers”  seem  to  us  to  capture  the  essential  features 
of  the  corresponding  intuitive  concepts  as  they  ap¬ 
pear  in  real  network  protocols,  while  also  making 
the  proofr  easy.  Alternative  definitions  could  be 
given  in  some  cases.  We  here  mention  a  few  points 
about  these. 

First,  one  might  consider  protocols  where  some 
simple  information  about  the  message  content  was 
used,  for  example  the  length  might  determine  the 
number  of  packets  needed  to  contain  the  message. 
This  could  be  modelled  by  allowing  different  mes¬ 
sages  to  be  in  different  equivalence  classes.  All  that 
seems  needed  for  the  proofs  we  have  given  to  re- 


main  valid  is  the  existence  of  some  class  that  con¬ 
tains  enough  different  messages.  In  the  final  version 
of  this  paper  we  expect  to  extend  ail  the  proofs  to 
this  case. 

Second,  one  might  consider  protocols  where  the 
number  of  different  headers  used  in  the  packets 
that  transmit  the  first  n  messages  is  a  function  of 
n,  rather  than  a  constant  as  in  a  protocol  with 
bounded  headers.  Stenning’s  protocol  uses  a  new 
header  for  each  new  message,  that  is,  the  number 
of  headers  used  grows  linearly  with  n.  We  expect 
to  model  this  in  the  final  version  of  this  paper,  and 
repeat  the  proof  given  in  Section  8  to  show  that  us¬ 
ing  a  sublinear  number  of  headers  is  impossible  if 
the  physical  chrmnels  might  not  be  FIFO. 
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